Security tests on Swiss COVID certificate find 136 vulnerabilities, amid calls for further restrictions

The Swiss COVID certificate launched in June has undergone its first phase of internal and public security tests, and the results are in.

This news item was derived from the Tracing the Tracers database, a project by AlgorithmWatch. The platform serves as the public interface for the continued monitoring, mapping, and explanation of the use of ADM-based applications to help contain and fight the spread of the SARS-CoV-2 coronavirus, in the attempt to simultaneously protect the health of millions of individuals and safely reopen European economies.
Search the database and learn more about the project at

In a 16 pages report, the National Cyber Security Center (NCSC) detailed the outcomes of a dialogue with both supervised bodies (among them, the Federal Office of Information Technology, Systems and Telecommunication (FOITT) and the National Test Institute for Cyber Security (NTC)) and "other experts and interested individuals" that has been ongoing since the end of May.

With the launch phase now complete, some 136 vulnerabilities have been found thanks to the testing process. Some, noted the NCSC report, have been already fixed; some others didn't need fixing ("Wontfix" category); but certain vulnerabilities are still filed under the "ongoing" category, meaning that "the reported vulnerability is being analysed and a solution to the problem is being prepared".

"Several critical flaws were still being analysed", wrote SwissInfo, "and would not be published for the time being for security reasons".

While 136 vulnerabilities might seem a lot, the NCSC argues that the number "can be considered normal", given the "high technical and organisational complexity" of the COVID certificate.

Also, additional vulnerabilities can still be reported to the government, as the public testing process is also ongoing.

COVID-19 infections are however on the rise in Switzerland, as in the rest of Europe, due to the spread of the delta variant. This has prompted calls for further restrictions, including an extension of the COVID pass — now mandatory for large, public events and nighclubs — to attend "smaller" events.

Experts from the Swiss National Covid-19 Science Task Force are also concerned, added le News, and one option that is being considered is removing the rapid antigen test option from having the certificate issued. "Such a move", wrote le News, "would turn the Swiss Covid certificate into a kind of immunity certificate reserved for those who have been vaccinated or have recovered from the disease".