zum Inhalt springen

About the NTC

  • The activities of the National Test Institute for Cybersecurity NTC are not profit-oriented, but act exclusively in the interests of Swiss society and the economy. The association's activities are mainly financed by the public sector.

  • No, the NTC is an independent, non-profit association under Swiss law.

  • No. The NTC does not test on behalf of product suppliers, manufacturers or service providers in the private sector. Testing assignments in connection with critical infrastructures and authorities have top priority for the NTC. These are carried out completely independently. Any influence on the objectivity of the NTC is therefore excluded. 

  • No. In order to maintain neutrality, no certifications are carried out in accordance with international or national standards that could be used by product suppliers, manufacturers or service providers to strengthen their market position.

  • No, the NTC tests products for vulnerabilities that would otherwise not be tested, largely on its own initiative and therefore at its own expense. These are typically digital products and networked infrastructures for which there are no responsible parties (e.g. boards of directors), insufficient regulation or other clients, or for which the market for verification does not function.

    Without the NTC, these socially relevant products and systems would often not be tested at all. In practice, it has even been shown that the activities of the NTC generate new projects for the private sector. By highlighting vulnerabilities, the NTC raises security awareness in the organizations concerned. They recognize the importance and urgency of the issue and often seek support from private cyber security providers.

  • Yes, the NTC examines the cyber security of critical infrastructures and authorities on behalf of clients in order to guarantee Switzerland's security and independence. In doing so, it cooperates with companies from the private sector rather than competing with them. If audits can also be carried out by Swiss IT security companies, the services offered by the NTC must be remunerated in line with the market. The NTC does not actively compete with private security companies.

Initiative Projects

  • Initiative projects are tests of digital products and networked infrastructures initiated and self-financed by the NTC in order to uncover vulnerabilities. The NTC decides independently what is tested and how intensively, based on experience, observations and information from partners or the public. The results are published in accordance with the Vulnerability Disclosure Policy  in order to make them accessible to the public.

  • No, it is recognized that not all critical infrastructure operators can place the same priority on cybersecurity as they may not have sufficient skills and resources. If the NTC suspects, based on experience, observations and indications, that a critical infrastructure operator's system may be affected by vulnerabilities, security tests are initiated on a case-by-case basis.

  • No, but in some circumstances the names of vendors and products affected by a vulnerability may be published. If no vulnerability has been found in a product, no information will be disclosed as this could create a false sense of security. Vendors who have not received a vulnerability report should not be encouraged to stop investing in cybersecurity. The fact that the NTC has not found a vulnerability does not mean that there is none.

Ethical Hacking

  • The way in which initiative projects are structured as non-commissioned projects raises a number of questions with regard to possible criminal liability under Swiss criminal law.  Those responsible at the NTC wanted to fully understand the Swiss legal situation in order to comply with the relevant regulations when testing.

  • The report can be downloaded here. It is available in German. The summary  is available in German, English, French and Italian.

Vulnerability Disclosure Policy

  • The NTC is convinced that the responsible disclosure of vulnerabilities makes an important contribution to increasing Switzerland's security. As stated in the NTC Vulnerability Disclosure Policy, the NTC pursues three objectives with the disclosure of vulnerabilities:

    1) As a first step, vulnerability details are disclosed only to the vendor to ensure quick and accurate remediation of vulnerabilities and to protect affected systems.

    2) Vulnerability patterns are publicly disclosed so that other organizations can learn from them and test their systems for the presence of the identified patterns. In addition, this information is used by researchers and manufacturers to develop measures and prevent errors.

    3) Public disclosure of vulnerabilities, the affected products and the vendors as a warning of vulnerabilities to allow users to take their own precautions, especially if patches are not made available by the vendors or are made available late.

  • The NTC remains in contact with the affected organization throughout the vulnerability disclosure process and strives to find a solution that provides the greatest benefit to all parties involved. According to the NTC Vulnerability Disclosure Policy, there is some flexibility in the accuracy of the disclosure. However, the fact that vulnerabilities are made public is indisputable.

  • No. There are clear rules in the NTC Vulnerability Disclosure Policy that specify when details about the vendor, product or vulnerability will be disclosed. Neither the product and vendor name nor a detailed description of the vulnerability will be publicly revealed if the following conditions are met:

    • the vendor fixes the vulnerability without requiring any action by the affected parties (e.g. a cloud service where the user is not required to install patches)
    • there is no indication that the vulnerability has been exploited (e.g. in the log files)
  • No. The NTC is independent and does not normally share vulnerability information with the National Cyber Security Center NCSC or other third parties. The NTC reports vulnerabilities directly to the vendor or owner of the system, following the Vulnerability Disclosure Policy and the recommendations of the NCSC Coordination Policy on Vulnerability Disclosure (CVD).

    Have you discovered a vulnerability in an IT system or in commercially available applications, software or hardware and want to report it? The golden rule is to inform the vendor or system owner directly. However, if these organisations do not respond to you or if their response is insufficient, the NCSC can act as an intermediary to resolve such security issues.

    As suggested in the NCSC CVD and outlined in the NTC Vulnerability Disclosure Policy, if the vendor is unavailable or the vendor is unable or unwilling to address the vulnerability, the NTC may notify government agencies such as the NCSC.

  • Ideally, the NTC will be involved in the patch development process and the NTC encourages vendors to work with NTC testers to ensure that patches are accurate and complete. Often a source code patch is proposed directly that fixes the underlying bug. For complex cases, the NTC usually works with the software maintainer to develop and verify a correct solution.

    The NTC testers are available to provide feedback during the patch development process - an extra pair of eyes on a security patch can make a big difference, so the NTC encourages vendors to contact the NTC testers if they have questions or ideas they would like to discuss further. There have been several instances where the original patch was incomplete or inadvertently introduced another vulnerability, and the NTC has then worked with the maintainer/vendor to find a correct solution.

    The NTC often provides additional guidance on ways to harden code, reduce the attack surface, design improvements, testing, and so on. This often leads to structural improvements that go beyond a single bug fix. Collaboration on these structural improvements is a specific goal of the NTC and is seen as an important long-term component of its work.

  • New vulnerabilities are usually published on the NTC Vulnerability Hub:

    In addition, a selection of relevant vulnerabilities may be included in other publications such as summary reports, public alerts, press releases, newsletters, etc. Most of these publications can be found in the News section of the NTC website:

  • At first it is important to note, that the vast majority of the vulnerabilities are fixed within the deadline. We are convinced, that disclosing a handful of unfixed vulnerabilities doesn't substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles.

    Additionally, as stated in the NTC Vulnerability Disclosure Policy, we reduce the level of detail of the publication, when no fix is available. Alternatively, we may opt to notify the Swiss National Cyber Security Center NCSC about the vulnerability in such cases.

  • The NTC encourages organizations to adopt a Vulnerability Disclosure Policy (VDP) that creates a safe harbor where security researchers can easily and safely report vulnerabilities without fear of legal repercussions.

    A great help for security researchers is a "/.well-known/security.txt" file on the website. The "security.txt" standard makes it possible to quickly find the responsible security contact on an organization's website. The standard provides for a text file with the name "security.txt" to be stored in the predefined directory "/.well-known" on the organization's website. This file contains at least the contact details that can be used to get in touch with the responsible security contact of an organization. In addition, further security-relevant information can be stored there.

    Here is an example: https://www.ncsc.admin.ch/.well-known/security.txt

    Other resources that can help with implementing a vulnerability disclosure policy:

NTC Competence Network

  • The Network of Competence is a pool of cyber security specialists from Switzerland and abroad. The network is regularly contacted by the NTC when additional expertise is required. This ensures that the necessary skills are available and that requests can be processed with the required quality.