The Ministry of Digital Development will test its services with white-hat hackers by the end of the year

As Kommersant learned, the Ministry of Digital Development will conduct another Bug Bounty program – now on several of its own services in addition to State Services. Platforms for searching for vulnerabilities will be provided for a fee by Positive Technologies and BI.Zone, and the maximum payment can reach 1 million rubles. Market participants believe that it would be useful to expand the program to other government agencies, but there are not yet enough resources for this, both financial and personnel.

The Ministry of Digital Development plans to launch the Bug Bounty program (testing information systems by “white hat hackers” for vulnerabilities) again by the end of the year, this time on nine of its own services in addition to State Services, sources in the IT market told Kommersant. In particular, one of them clarifies, the search for vulnerabilities will be deployed in the Unified Biometric System, the Unified Identification and Authentication System, the Unified Regulatory Reference Information System and others.

The Ministry of Digital Development launched the first Bug Bounty program at Gosuslugi in February in partnership with Positive Technologies (Standoff 365 Bug Bounty) and BI.Zone (BI.Zone Bug Bounty). She walked for three months. Now, Kommersant’s interlocutors say, the program is planned for a year with the same partners. The payment for each serious vulnerability that a “white hat hacker” discovers can reach 1 million rubles. depending on the significance, clarifies one of Kommersant’s sources. Positive Technologies and BI.Zone declined to comment. The Ministry of Digital Development did not answer Kommersant.

According to the results of the first testing of State Services, as reported by the Ministry of Digital Development, 34 significant vulnerabilities were discovered, and 8.4 thousand specialists took part in the program. The maximum payment for an error found (with a medium and low level of danger) was 350 thousand rubles, the minimum – 10 thousand rubles.

The first Bug Bounty project was a test project, with a limited period and number of systems for research, now the program will be launched on an ongoing basis and will cover all e-government complexes, explains Vladimir Dryukov, director of the Solar JSOC Cyberattack Center (participates in testing together with Rostelecom Information Security) ). Informzashita clarifies that 12 months is the normal period for a mature infrastructure; companies often set aside 8–9 months for testing.

The Ministry of Digital Development became the first Russian government agency to conduct penetration testing of its IT systems, although law enforcement agencies considered the admission of “white hat hackers” to state systems to be the legalization of computer crime (see Kommersant, December 16, 2022). Meanwhile, the practice of Bug Bounty has become widespread abroad, including in the public sector. For example, in July 2022, the US Department of Defense launched a short program (for eight days) in its public IT systems. The ministry allocated $110 thousand for the search for vulnerabilities, with the cost of a vulnerability starting from $500. The first time the US Department of Defense held a Bug Bounty on its own websites was in 2016; as a result, 90 vulnerabilities were discovered (see “Kommersant” dated May 19, 2016).

For the Russian market, the proposal of the Ministry of Digital Development is a very high level of payments, says Denis Makrushin, technical director of MTS RED. In the programs announced recently, he clarifies, the maximum reward amount was 60–250 thousand rubles; only the largest digital platforms promise millions in payments for found critical vulnerabilities. It would be useful to expand the experience of the Ministry of Digital Development to the IT systems of other government agencies, Mr. Makrushin believes, but “not everyone is ready for this.”

The experience of the Ministry of Digital Development is important for the development of Bug Bounty in the Russian Federation, but it is still difficult to talk about the wide spread of the initiative to other state-owned companies and departments, notes Artem Sheikin, deputy chairman of the council for the development of the digital economy under the Federation Council. One of the reasons, he said, is the lack of technical and financial resources for a comprehensive analysis of vulnerabilities, as well as a possible shortage of personnel.

Tatiana Isakova