Regions launch testing of state systems for vulnerabilities with “white hat hackers”

Testing government IT systems for vulnerabilities by trusted hackers is becoming popular in the regions of the Russian Federation. According to Kommersant, by the end of the year the government of the Moscow region intends to test its infrastructure in partnership with Positive Technologies. In early December, testing was launched by the Leningrad region. Currently, only Russian specialists participate in testing state systems, but one of the sites has already established payments to foreign testers from friendly countries.

The Moscow region will join the Bug Bounty program (checking IT systems by “white hat hackers” for vulnerabilities) by the end of the year, sources in the IT market told Kommersant. The cybersecurity specialist clarified that the Moscow region authorities intend to place their government services infrastructure (more than 300 electronic services are available, the number of their users exceeds 6.7 million people) on the Positive Technologies platform (Standoff 365 Bug Bounty). The amount of reward, according to them, depending on the level of danger of the vulnerability, can reach 150 thousand rubles. The company confirmed that negotiations are ongoing, without disclosing details. The government of the Moscow region did not respond to Kommersant’s request.

In August, the Ministry of Digital Development introduced the information security (IS) parameter into the rating of digital transformation of government agencies. Now federal and regional departments must provide monthly information on measures to protect IT systems, including Bug Bounty testing by “white hackers” (see Kommersant, August 23).

The first Bug Bounty program in the public sector was officially launched by the Ministry of Digital Development itself on State Services in February in partnership with the same Positive Technologies and BI.Zone (BI.Zone Bug Bounty). The project lasted three months, and in November the ministry decided to restart the program for a year, expanding it to the Unified Biometric System, the Unified Identification and Authentication System and others (see Kommersant on November 9).

The Leningrad region, together with BI.Zone, launched a local Bug Bounty program on December 1 on the budget process management system, the region’s Modern Education system and others, the region’s digital development committee told Kommersant. Depending on the level of vulnerability, the remuneration of specialists reaches 150 thousand rubles, testing is carried out until December 15, BI.Zone clarified.

Informzashita believes that Bug Bounty programs will appear in other regions in the near future: “In the case of services that are related to government services, there should be no problems, since they are well developed technologically.” But in the region’s own systems, the success of Bug Bounty will depend on who developed the services, the state of the infrastructure, etc., clarifies Anatoly Peskovsky, an expert in the department of countering cyber threats at Informzashita. Kaspersky Lab notes that Bug Bounty provides valuable information about gaps in infrastructure “for mature companies.” But if a company “is not completely confident in its cyber protection,” then going to Bug Bounty is not very effective, says Kaspersky ICS CERT expert Vladimir Dashchenko: “Many simple vulnerabilities will be found, on which a lot of money will be spent.”

Currently, only Russian specialists participate in Bug Bounty programs on state systems. However, Positive Technologies says that they have already established a mechanism for payments to foreign “white hat hackers”. “The partners have a current account in rubles in a Russian bank, we make payments to this account,” the company explains. “The partner then makes the payment in accordance with the laws of the country in which the researcher receives the payment.” They rely on foreign testers from Asia, the Near and Middle East.

Director of the Security Analysis and Anti-Fraud Department at BI.Zone Evgeniy Voloshin noted that cooperation with a large community of “bug hunters” “allows us to study digital resources from different angles, conduct an in-depth analysis, and therefore get the most complete picture of the level of security of systems.”

Tatiana Isakova