Access to the source without participating in the pen test is clearly governed by the contract I linked, both because that's what the page you need to click through to access the source says [0], and there is a different contract governing participants in the pentest [1].
I'm frankly more concerned with the indefinite NDA than the "you must continue to work for free clause". I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says. The indefinite NDA though strikes me as legally valid, and could plausibly put me in a situation where I'm stuck between keeping silent about vulnerabilities and civil disobedience [2].
I emphasized "without participating in the pen test" above because I just noticed an amusing loophole in the contract that makes the NDA somewhat (not completely, and still not the rest of the contract) reasonable.... The pen test agreement states
> If you sign up to the source code access programme and there is a conflict between the E-Voting Solution Source Code Access Agreement and the TC&CoC, the latter shall take precedence.
It also states
> Participants / researchers are allowed to publish their findings following a publication date agreed with the organizers. This date will be 45 days after the initial confirmation of the reported finding at the latest.
As such I think if I sign up for both programs the NDA on disclosing vulnerabilities is not indefinite.
This story is largely verifiable via Google - The author has asked that his reddit account/recounting not be directly linked to his name, please respect that here as well.
>I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says.
Yes, this is not a valid clause.
> The indefinite NDA though strikes me as legally valid,
There isn't a indefinite NDA,
>"The expiry or termination of the Agreement shall not affect the
validity of the obligations of the Researcher entered into under
the Agreement (including but not limited to the Fair Use
Restrictions, the Reporting Procedure and the Responsible
Disclosure)."
With the termination of the Agreement, the contract is void, these obligations can't be prolonged. There is only an exception for trade secrets which will continue even after a work contract. But this is no work contract. And second there are no trade secrets in here.
Anyways the whole agreement is fuzzy, this clause
> "The Owners grant access to the EV Solution Source Code in the
Program to the extent required by the (Swiss) Federal
Chancellery Ordinance on Electronic Voting (“the Ordinance”)
(1). No part of this Agreement shall be construed as to provide
surpassing rights or to permit its use for other purposes. "
gives full public access, with no strings attached. The later clauses are contradictory to this one.
This is part of the reporting procedure/responsible disclosure, and thus lasts past the end of the agreement. It is an NDA. It can be extended indefinitely by the owners without my consent.
> No Vulnerability shall be published within a period of forty five (45) days since the last communication exchanged with the Owners with regards to such potential Vulnerability, unless the Owners have agreed to a shorter period or defined a longer period.
The later clauses being contradictory is an interesting point, but not one I would want to personally litigate.
I'm frankly more concerned with the indefinite NDA than the "you must continue to work for free clause". I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says. The indefinite NDA though strikes me as legally valid, and could plausibly put me in a situation where I'm stuck between keeping silent about vulnerabilities and civil disobedience [2].
I emphasized "without participating in the pen test" above because I just noticed an amusing loophole in the contract that makes the NDA somewhat (not completely, and still not the rest of the contract) reasonable.... The pen test agreement states
> If you sign up to the source code access programme and there is a conflict between the E-Voting Solution Source Code Access Agreement and the TC&CoC, the latter shall take precedence.
It also states
> Participants / researchers are allowed to publish their findings following a publication date agreed with the organizers. This date will be 45 days after the initial confirmation of the reported finding at the latest.
As such I think if I sign up for both programs the NDA on disclosing vulnerabilities is not indefinite.
[0] https://www.post.ch/en/business/a-z-of-subjects/industry-sol...
[1] https://onlinevote-pit.ch/conduct/
[2] A similar example in Finland where companies and government agencies conspired to try and keep vulnerabilities secret: https://www.reddit.com/r/talesfromtechsupport/comments/9m8fz...
This story is largely verifiable via Google - The author has asked that his reddit account/recounting not be directly linked to his name, please respect that here as well.