White Hat Hackers May Be Added to a Special Registry

The Federation Council, FSB, Ministry of Internal Affairs, and companies specializing in information security (IS) are discussing the possibility of creating a registry of white hat hackers and certifying them. This was reported to Vedomosti by three sources close to various IS companies. According to them, the issue was discussed at a closed meeting of agency representatives in early August.

The IT industry considers this initiative underdeveloped, as a list of IS specialists who research vulnerabilities in components of critical IT infrastructure could be of interest to cybercriminals and foreign intelligence agencies.

The possibility of creating a registry of white hat hackers and their certification is being considered as part of a draft law on white hat hackers, explained Artem Sheikin, a member of the Federation Council Committee on Constitutional Legislation and State Building, to the media.

According to sources in one of the major IS companies, the proposed measures (registry and certification) are intended to make vulnerability search programs safer when working with significant objects, including critical information infrastructure (CII). An expert noted that this would help legalize many areas related to offensive and preventive security, and eliminate the gray zones in which white hat hackers currently operate.

Experts believe the initiative also has weaknesses, including the introduction of strict bureaucratic requirements for joining the ranks of white hat hackers to participate in bug bounty programs, which could deter potential participants. In this case, hackers may find it easier to sell discovered vulnerabilities to criminals rather than receive official rewards, which may be much lower than what is offered on the black market.

The problem is that the government currently lacks sufficient tools to ensure mandatory compliance with such certification rules, explained Igor Bederov, head of the investigations department at T.Hunter and an expert in the NTI SafeNet market. “Naturally, the community will oppose the proposed regulation, but if its members want to work legally, they will get certified. Having a certificate could serve as a basis for companies and individuals to trust the expertise of such hackers,” Bederov said.

The idea is poorly thought out and will only lead to no one wanting to seriously analyze the security of CII and other systems if it requires being listed in some registry, believes Alexey Lukatsky, a security consultant at Positive Technologies. “Moreover, considering that in Russia almost any registry eventually leaks, this poses a serious danger to those listed, as not only could they face personal sanctions from the US and other countries, but their lives could also be at risk. The US has already demonstrated its ability to extradite Russian IT and IS specialists and bring charges against them,” Lukatsky said.