“White hackers” found and helped eliminate 34 vulnerabilities in State Services

But under the current Criminal Code they could be convicted for this

The Federation Council plans to bring hackers who hack programs for good purposes out of the gray zone. As Senator Artem Sheikin told MK, a bill on the legalization of “white hat” hackers has already been prepared. They will search for vulnerabilities in digital resources and repel cyber attacks.

Attacks on Russian websites and information systems, including government ones, have increased exponentially over the past three years. The statistics of computer incidents compared to 2020 increased by 42% in 2021 and by 15% in 2022, the Federation Council calculated.

“Due to the increasing number of computer incidents in Russia, the activity of searching for vulnerabilities and assessing the security of information resources is becoming increasingly relevant for both commercial structures and government agencies,” emphasized Artem Sheikin, deputy chairman of the council for the development of the digital economy under the Federation Council, “Specialists in searching for vulnerabilities of information resources, also called “white hackers”, “pentesters”, help to identify weaknesses, errors in systems and eliminate them before attackers could take advantage of them, and thereby prevent the occurrence of information security incidents and related ones losses.

Meanwhile, hacking a software code, even if it was ordered by the developer or owner, can result in a prison sentence for the hacker. From the point of view of the Criminal Code, any hacker is a criminal, and his research into the strength of a program or application is a crime in the field of computer security.

Because of this, “white hackers” themselves prefer not to advertise their activities once again.

True, this year the Ministry of Digital Development, with the help of white hat hackers, has already discovered 34 serious vulnerabilities of the State Services platform, which were publicly announced. However, there is still no legal basis for searching for black holes and white spots in the code.

– The current legislation completely lacks the concepts of “pentest” and “Bug Bounty” (“search for vulnerabilities.” – Approx. “MK”), which raises concerns among vulnerability detection specialists due to the risk of an ambiguous legal assessment of their activities,” noted Artem Sheikin. “This circumstance does not contribute to an increase in the number of professionals ready to engage in this area.

To make life easier for “white hackers,” Artem Sheikin, together with information security experts, developed a bill that is designed to legalize the activity of searching for vulnerabilities in digital resources and establish state control over it.

According to the developers’ plans, hackers will be able to test applications for defense against attacks both on request and on their own initiative. If computer hacking geniuses discover a vulnerability, it will need to be reported to the developer or owner of the resource, as well as to FSTEC and the FSB for publication in the threat database. It is assumed that the public sector will be able to attract “white hackers” to test their sites and applications through the government procurement procedure.