Russian Post plans to launch a three-year Bug Bounty program for testing its IT systems by “white hat hackers”

Large state-owned companies are beginning to use the services of “white hackers”. As Kommersant learned, Russian Post will soon announce a tender for testing its IT systems as part of a three-year Bug Bounty program in order to avoid further data leaks. Cybersecurity experts consider the idea relevant, but emphasize that to implement it, it will be necessary to clearly define regulations and rules in order to avoid “disagreements with white hat hackers.”

As part of strengthening the cybersecurity area, Russian Post plans to launch a three-year Bug Bounty program and will soon announce a tender for the provision of the corresponding platform, Dmitry Ilyin, the company’s deputy general director for IT and digital services development, told Kommersant. “We assume that there will be one platform provider to which we will be able to attract all participants in the information security market,” he clarified. It is planned to test “the main systems that play an important role in the operation of the postal service.”

Kommersant’s interlocutor in the cybersecurity market believes that we are primarily talking about the company’s website and its mobile application. The test results will become “a criterion for clarifying security and developing additional measures,” explains Dmitry Ilyin. He did not specify the amount of funding earmarked for rewarding “white hackers.” Mr. Ilyin added that in the spring the board of directors of Russian Post approved a cybersecurity plan for the coming years. “As part of its implementation, we want, together with the main market participants, to transform the systems and processes responsible for information security in the company,” he noted. The Ministry of Digital Development did not respond to Kommersant’s request.

At the end of 2022, information about a data leak in Russian Post appeared in specialized Telegram channels: the full names and names of client companies, telephone numbers, addresses and track numbers of parcels, weight, status of the item, etc. were leaked into the network. The Post confirmed the fact of the leak, but denied that hackers managed to gain access to the entire database (see “Kommersant” dated July 29, 2022).

The search for vulnerabilities in companies’ IT systems has become especially relevant against the backdrop of an increase in cyber attacks on Russian companies since February 2022. Among the first government agencies to launch Bug Bounty programs was the Ministry of Digital Development. At the end of 2023, the ministry scaled up testing not only for “State Services”, but also for the Unified Biometric System, etc. (see “Kommersant” dated December 12, 2023). Currently, the State Duma is discussing two bills related to Bounty: legalizing the right to attract “white hat hackers” to software without the permission of its copyright holders and on the procedure for organizing testing (see Kommersant on April 2).

There will be demand from “specialists” for participation in the Russian Post program, says Yulia Voronova, director of consulting at Positive Technologies (Standoff 365 Bug Bounty platform). “If the company offers normal bonus payments for found vulnerabilities and quickly verifies them, there will be demand from researchers,” agrees technical director of Garda WAF Luka Safonov. Kommersant’s interlocutor in the cybersecurity market notes that in general, “this kind of research can cost on average 20–30 million rubles. for three months of work.”

However, the larger the company, the more systems it has and the more complex the processes, so for large organizations launching a Bug Bounty is a rather difficult task, warns Evgeniy Voloshin, director of the BI.ZONE security analysis and anti-fraud department (BI.ZONE Bug Bounty platform). Before testing, it is necessary to conduct an internal analysis of the criticality of resources and first check the “most mature” part of the infrastructure, he believes.

Also, Evgeniy Voloshin clarifies, so that there are no disagreements between “white hat hackers” and the company, the tested organization must clearly state the rules of the program: on which resources what vulnerabilities should be looked for and which ones will not be taken into account.

Tatyana Isakova, Yulia Tishina