Russian Ministry Considers Legalizing White Hat Hackers
The Ministry of Digital Development, Communications, and Mass Media is considering introducing the concept of bug bounty programs into the legal framework to legitimize payments to “white hat hackers” who test information systems for vulnerabilities. Currently, such specialists risk criminal prosecution for unauthorized access to computer information and are unable to legally receive compensation for their work.
According to Vedomosti, citing a source at a Russian cybersecurity tool developer and a contact at an international information security company, the Ministry is exploring ways to bring bug bounty programs into the legal domain. White hat hackers are cybersecurity experts who test information systems for vulnerabilities to help developers secure their software solutions. They participate in bug bounty programs and receive rewards for finding bugs.
However, their actions can sometimes be interpreted as unauthorized access to computer information, which is a criminal offense under Article 272 of the Russian Criminal Code, according to one of the newspaper’s sources. Luka Safonov, CTO of AO Synclit, noted that legalizing bug bounty programs would allow such reward systems to be extended to the testing of government systems as well.
Legal Gray Area for Security Researchers
Business security consultant Alexey Lukatsky shared a story illustrating the lack of legal recognition for bug bounty programs: “Just remember the case of an admin at a telecom operator in Obninsk who tried to help clients by scanning their network for vulnerabilities. He was detained by FSB officers and is now being prosecuted under Article 274.1 for unauthorized impact on Russia’s critical information infrastructure.”
He added, “Searching for vulnerabilities is always an activity on the edge. On one hand, researchers act within the framework of an agreement and have no malicious intent, but on the other hand, not everything is covered by the contract, and their actions can cause damage, which may have consequences. Therefore, the attempt to bring this area into the legal field is welcome.”
Government Support for IT Community
Since late February 2022, the Russian government has been offering various support measures for the IT community, following the outflow of specialists after the start of Russia’s “special military operation” in Ukraine. Among other initiatives, in March the Ministry of Digital Development announced financial support for white hat hackers.