FAQ

National Test Institute for Cybersecurity NTC

Initiative Projects

Ethical Hacking

Vulnerability Disclosure Policy

NTC Competence Network

About the NTC

What is the NTC's business model?

The activities of the National Test Institute for Cybersecurity NTC are not profit-oriented, but act exclusively in the interests of Swiss society and the economy. The association's activities are mainly financed by the public sector.
Is the NTC a federal authority?

No, the NTC is an independent, non-profit association under Swiss law.
Can anyone commission a test?

No. The NTC does not test on behalf of product suppliers, manufacturers or service providers in the private sector. Testing assignments in connection with critical infrastructures and authorities have top priority for the NTC. These are carried out completely independently. Any influence on the objectivity of the NTC is therefore excluded.
Is a label or certificate awarded after a test?

No. In order to maintain neutrality, no certifications are carried out in accordance with international or national standards that could be used by product suppliers, manufacturers or service providers to strengthen their market position.
Is the NTC not in competition with private providers?

No, the NTC tests products for vulnerabilities that would otherwise not be tested, largely on its own initiative and therefore at its own expense. These are typically digital products and networked infrastructures for which there are no responsible parties (e.g. boards of directors), insufficient regulation or other clients, or for which the market for verification does not function.

Without the NTC, these socially relevant products and systems would often not be tested at all. In practice, it has even been shown that the activities of the NTC generate new projects for the private sector. By highlighting vulnerabilities, the NTC raises security awareness in the organizations concerned. They recognize the importance and urgency of the issue and often seek support from private cyber security providers.
Does the NTC also take on commissioned projects?

Yes, the NTC examines the cyber security of critical infrastructures and authorities on behalf of clients in order to guarantee Switzerland's security and independence. In doing so, it cooperates with companies from the private sector rather than competing with them. If audits can also be carried out by Swiss IT security companies, the services offered by the NTC must be remunerated in line with the market. The NTC does not actively compete with private security companies.

Initiative Projects

What is an "initiative project"?

Initiative projects are tests of digital products and networked infrastructures initiated and self-financed by the NTC in order to uncover vulnerabilities. The NTC decides independently what is tested and how intensively, based on experience, observations and information from partners or the public. The results are published in accordance with the Vulnerability Disclosure Policy in order to make them accessible to the public.
Is it correct that the operators of critical infrastructure are not tested by the NTC because they most likely already carry out penetration tests themselves?

No, it is recognized that not all critical infrastructure operators can place the same priority on cybersecurity as they may not have sufficient skills and resources. If the NTC suspects, based on experience, observations and indications, that a critical infrastructure operator's system may be affected by vulnerabilities, security tests are initiated on a case-by-case basis.

Ethical Hacking

Why did the NTC commission an expert opinion on the criminal liability of ethical hacking?

The way in which initiative projects are structured as non-commissioned projects raises a number of questions with regard to possible criminal liability under Swiss criminal law. Those responsible at the NTC wanted to fully understand the Swiss legal situation in order to comply with the relevant regulations when testing.
Where can I download the report?

The report can be downloaded here. It is available in German. The summary is available in German, English, French and Italian.

Vulnerability Disclosure Policy

Why does the NTC publish details of vulnerabilities?

The NTC is convinced that the responsible disclosure of vulnerabilities makes an important contribution to increasing Switzerland's security. As stated in the NTC Vulnerability Disclosure Policy, the NTC pursues three objectives with the disclosure of vulnerabilities:

1) As a first step, vulnerability details are disclosed only to the vendor to ensure quick and accurate remediation of vulnerabilities and to protect affected systems.

2) Vulnerability patterns are publicly disclosed so that other organizations can learn from them and test their systems for the presence of the identified patterns. In addition, this information is used by researchers and manufacturers to develop measures and prevent errors.

3) Public disclosure of vulnerabilities, the affected products and the vendors as a warning of vulnerabilities to allow users to take their own precautions, especially if patches are not made available by the vendors or are made available late.
Does the affected organization have a say in whether the public is informed?

The NTC remains in contact with the affected organization throughout the vulnerability disclosure process and strives to find a solution that provides the greatest benefit to all parties involved. According to the NTC Vulnerability Disclosure Policy, there is some flexibility in the accuracy of the disclosure. However, the fact that vulnerabilities are made public is indisputable.
Is the name of the affected organization and product always published?

No. There are clear rules in the NTC Vulnerability Disclosure Policy that specify when details about the vendor, product or vulnerability will be disclosed. If there is a legitimate public interest in disclosing the details, they will be disclosed.
Does the NTC pass on information about vulnerabilities to the Swiss NCSC or to third parties?

No. The NTC is independent and does not normally share vulnerability information with the National Cyber Security Center NCSC or other third parties. The NTC reports vulnerabilities directly to the vendor or owner of the system, following the Vulnerability Disclosure Policy and the recommendations of the NCSC Coordination Policy on Vulnerability Disclosure:

Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it?
The golden rule is to inform the provider or owner of the system directly. However, if these organizations do not respond to your report or their response is inadequate, the NCSC can act as an intermediary to resolve such security issues.

As suggested in the NCSC CVD and outlined in the NTC Vulnerability Disclosure Policy , if the vendor is unavailable or the vendor is unable or unwilling to address the vulnerability, the NTC may notify government agencies such as the NCSC.
Does the NTC assist software vendors or open source projects in remediating vulnerabilities reported by the NTC?

Ideally, the NTC will be involved in the patch development process and the NTC encourages vendors to work with NTC testers to ensure that patches are accurate and complete. Often a source code patch is proposed directly that fixes the underlying bug. For complex cases, the NTC usually works with the software maintainer to develop and verify a correct solution.

The NTC testers are available to provide feedback during the patch development process - an extra pair of eyes on a security patch can make a big difference, so the NTC encourages vendors to contact the NTC testers if they have questions or ideas they would like to discuss further. There have been several instances where the original patch was incomplete or inadvertently introduced another vulnerability, and the NTC has then worked with the maintainer/vendor to find a correct solution.

The NTC often provides additional guidance on ways to harden code, reduce the attack surface, design improvements, testing, and so on. This often leads to structural improvements that go beyond a single bug fix. Collaboration on these structural improvements is a specific goal of the NTC and is seen as an important long-term component of its work.
What can vendors do to facilitate the process of responsible vulnerability disclosure?

The NTC encourages organizations to adopt a Vulnerability Disclosure Policy (VDP) that creates a safe harbor where security researchers can easily and safely report vulnerabilities without fear of legal repercussions.

A great help for security researchers is a "/.well-known/security.txt" file on the website. The "security.txt" standard makes it possible to quickly find the responsible security contact on an organization's website. The standard provides for a text file with the name "security.txt" to be stored in the predefined directory "/.well-known" on the organization's website. This file contains at least the contact details that can be used to get in touch with the responsible security contact of an organization. In addition, further security-relevant information can be stored there.

Here is an example:
ncsc.admin.ch/.well-known/security.txt

Other resources that can help with implementing a vulnerability disclosure policy:

Security.txt - Deposit your security contact on your website (admin.ch) Vulnerability Disclosure Management - A guide for organizations and companies

Vulnerability Disclosure - OWASP Cheat Sheet Series

NTC Competence Network

What is the NTC Competence Network?

The Network of Competence is a pool of cyber security specialists from Switzerland and abroad. The network is regularly contacted by the NTC when additional expertise is required. This ensures that the necessary skills are available and that requests can be processed with the required quality.

Do you have any questions?