Russian State Duma Approves First Reading of “White Hat Hackers” Bill

The State Duma has passed the first reading of Bill No. 509708-8, “On Amendments to Article 1280, Part Four of the Civil Code of the Russian Federation (on the use of computer programs and databases),” which addresses the work of “white hat hackers.” The bill was introduced to parliament back in December last year by representatives of the “Digital Russia” party project, including Anton Nemkin, Gennady Panin, Igor Markov, and members of the State Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev.

According to the bill’s authors, under current legislation, “white hat” hackers must obtain numerous permissions from the copyright holders of each program included in an information system to conduct security testing for Russian companies. Conducting such testing without these permissions can result in copyright violations and fines of up to 5 million rubles or double the cost of the software.

The bill proposes allowing individuals who lawfully own a copy of a computer program or database to study, research, or test its operation to identify vulnerabilities and fix obvious errors. This process can also be delegated to other parties. However, vulnerability testing is permitted only for copies of programs and databases operating on the user’s own technical devices. Information about discovered vulnerabilities may only be shared with the copyright holder or those responsible for fixing them, unless otherwise specified. Researchers must notify the copyright holder of any identified vulnerabilities within five business days of discovery.

Expert Opinions and Legislative Goals

Anton Tkachev, First Deputy Chairman of the State Duma Committee on Information Policy, Information Technology, and Communications, emphasized: “Russia is one of the leaders in digital technology development, but our legislation does not yet align with modern trends—there is no provision for testing digital services for vulnerabilities. The situation is such that a service owner hires a tester, a so-called ‘hacker,’ to identify all weaknesses and provide a report. While these actions are necessary for digital product development, current law provides for criminal liability for such actions. We need to allow these activities so that all test ‘hacks,’ which are a necessary element of security, are no longer in a legal gray area.”

Gennady Panin, First Deputy Chairman of the Committee on Regional Policy and Local Self-Government and coordinator of the “Digital Russia” party project in the Moscow region, noted: “Under current law, programs can only be tested to ensure general operability and adaptation for personal use. The amendments focus on information security, granting the right to make changes without the copyright holder’s permission, including for infrastructure and third-party components, and without compensation. This means that a lawful user can not only fine-tune the product but also test its security and make necessary changes. This is especially important given the current digital threats from unfriendly countries and both intentional and accidental data leaks. The ultimate goal is to improve information security through program study and testing.”

Anton Nemkin, a member of the State Duma Committee on Information Policy and one of the bill’s authors, stated: “The work of ‘white hat’ hackers should become as routine and necessary as, for example, independent external audits of financial statements or third-party legal reviews of various aspects of business operations at the request of entrepreneurs themselves.”

Parliamentary Discussion and Concerns

During the discussion before the vote, deputies reminded that Russian systems are subject to numerous cyberattacks, making regular security audits essential and, therefore, simplifying the work of relevant specialists is necessary.

It is noteworthy that the bill’s initiators repeatedly mentioned “testing software from ‘unfriendly countries’,” but no specific proposals for regulating this issue have been made yet.

When it came time for questions, Irina Yarovaya pointed out that the bill lacks clarity on information security issues, particularly regarding data transfer. The authors responded that data transfer provisions are included in the bill and will be further refined for the second reading.

Deputy Alexey Kurinny asked what happens after a “white hat hacker” checks a program—if the hacker simply reports the problems to the copyright holder, is the copyright holder required to fix them? The bill’s initiators replied that since the copyright holder orders the testing, they should be interested in correcting any errors found.

Before the vote, Anatoly Wasserman spoke, noting that he used to be a programmer himself and that copyright law was “reasonable back then, unlike now.” He argued that the current “vulnerability in copyright law,” which puts “white hat hackers” at risk, should be eliminated as soon as possible, especially given the heightened cyber threats facing the country.

Ultimately, the bill was passed in its first reading.