Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
In Russia, the attitude of the authorities towards cybercriminals is changing. They want to equate some of them with terrorists and throw them in prison for life, while on the contrary, they want to legalize others. The latter applies to "white" hackers – the state intends to take their activities outside the sphere of influence of the Criminal Code of the Russian Federation in the coming months. The Russian security forces don't like it.
A white hat will save you from the sky in "hashtags"
The Russian authorities intend to reconsider their attitude towards "white" or" ethical " hackers-hackers who open systems and services not with malicious intent, but at the request and for the money of the owners of these services, and sometimes for free, in order to point out vulnerabilities to them. Currently, their activities are not regulated by law in any way, but many of their acts can be classified under several articles of the Criminal Code of the Russian Federation at once. Moreover, the same authorities want to equate ordinary hackers who break state systems and services with terrorists – according to current legislation, such criminals can be sentenced to life in prison.
According to Izvestia, in the very near future, a bill will be submitted to the State Duma that facilitates the activities of "white" hackers, whose symbol is a white hat, and legalizes them on the territory of Russia. This will not only simplify their lives – Russian companies will also get their own "buns", because they will be able to legally work with them, buying their services.
According to the publication, the bill, as soon as it becomes law, will allow "ethical" hackers to test systems and services for security against hacking and penetration. It is important to note here that nothing prohibits them from doing this now – moreover, there are several sovereign bug bounty sites in Russia, where companies and even state structures, such as the Ministry of Digital Resources, order the services of "white" hackers. Also among the customers are the largest Russian IT giants-Yandex, VK holding, Tinkoff Bank and Ozon marketplace, one of the authors of the bill, MP Anton Nemkin, told the publication.
However, at the same time, the very concept of "Bug bounty" (reward for finding "holes" and vulnerabilities in software) is absent in the legal field of the country, which makes the work of "white" hackers in Russia very risky. CNews wrote-they openly say that they are afraid of criminal prosecution.
Law from the ruling Party
The authors of the new bill, as Izvestia writes, are deputies from the United Russia faction. In developing the document, they were assisted by their colleagues from the New People faction.
The draft law is an amendment to the current Federal Law 16-FZ "On Information, Information Technologies and Information Protection". According to the deputies ' plan, the document will be considered by the lower house of parliament before the end of the spring session, but in 2024 it will end not in the spring or even in the beginning of summer, but only on August 9, 2024.
Among those who participate in the discussion of the document, there are also the Ministry of Digital Resources. Representatives of the department confirmed this fact to the publication.
The text of the bill describes the main scenarios of cooperation between companies with "white" hackers. This is both a direct contract and interaction through the bug bounty program.
Security forces are unhappy
It is important to note that the Russian security forces are against the legalization of" white " hackers. As reported by CNews, they united against this initiative at the end of 2023. The Ministry of Internal Affairs and the Prosecutor General's Office of Russia, as well as the Investigative Committee, jointly oppose the legalization of "white" hackers. All of them claim that there is no need to make any amendments to the Criminal Code of the Russian Federation that could legalize ethical hackers.
In fact, the security forces opposed the initiative of the Ministry of Digital Development – the agency in the spring of 2022 began to promote the idea of legalizing such specialists. In March 2022, it came up with an idea to financially support ethical hackers, and in July 2022, it received a proposal to legalize them.
The risks are not justified
In modern Russia, until the new bill becomes part of its legislation, "ethical" hackers take a lot of risks doing their job. They are constantly threatened with both criminal and administrative liability. This opinion is shared, among others, by Ilya Zharsky, Managing Partner of the Veta expert group.
He told the publication that it is best for" white " hackers to have all the necessary written hacking permissions from the owners of the system or service with whom they have agreed to cooperate. These documents will be very useful when law enforcement agencies become interested in hackers ' activities. According to Zharsky, the new bill will provide hackers and their clients with " more freedom to protect their systems and protect personal data of users, databases of government agencies and other businesses interested in these amendments," Izvestia writes.
Terrorists and millionaires
Currently, "white" hackers in Russia earn tens and hundreds of thousands of rubles, and sometimes millions – the amount of their fee primarily depends on the client's ability to pay. The risk of a vulnerability that hackers have found also plays a role – the more critical the "hole" is, the more they will usually be paid.
In 2023, VK Holding, formerly known as Mail.ru Group, paid "ethical" hackers more than 34 million rubles. for 1500 reports-experts were looking for gaps in most of the company's services, including Skillfactory, as well as in the smart column "VK Capsule".
Despite the fact that" white " hackers are still not legalized in Russia, domestic companies are increasingly willing to use their services and are ready to spend much more money on them than two years ago or even a year ago. A vivid example of this is the Internet giant Yandex, whose expenses for payments to "ethical" hackers reached 70 million rubles by the end of 2023 – this is more than twice as much as in 2022. In 2024, the Internet giant will pay hackers at least 100 million rubles.
Yandex even has its own program for encouraging "white" hackers called "Bug Hunting", in which, according to the results of 2023, almost 530 hackers took part. During the reporting period, they sent Yandex about 740 vulnerability reports, of which 378 were unique-the experts who found them received their money.
Also, "white" hackers cooperate directly with the state. As reported by CNews, in early 2023, the Ministry of Digital Development initiated a program to search for "holes" on the website of "Gosuslug". The project of the Ministry of Digital Development attracted more than 8.4 thousand white hackers from all over the country. Testing took place on the Bi.Zone Bug Bounty and Standoff 365 platforms, owned by Positive Technologies.
At the same time, hacking "State Services", even if agreed with the Ministry of Digital Development, can result in a life sentence for hackers. CNews wrote that in mid-March 2024, Deputy chairman of the State Duma Committee on Information Policy, IT and Communications Andrey Svintsov (LDPR party) personally suggested that hacking the websites of state agencies and state online services should be regarded as terrorism. The portal of state services, he cited as one example of state resources, for hacking which a cybercriminal should be qualified as a real terrorist.
At the time of the material's release, Svintsov's initiative remained at the level of an idea. But so far, there is a possibility that it will turn into a bill, and then into a law, and it cannot be ruled out that this will happen faster than the bill on the legalization of "white" hackers is signed."
A white hat will save you from the sky in "hashtags"
The Russian authorities intend to reconsider their attitude towards "white" or" ethical " hackers-hackers who open systems and services not with malicious intent, but at the request and for the money of the owners of these services, and sometimes for free, in order to point out vulnerabilities to them. Currently, their activities are not regulated by law in any way, but many of their acts can be classified under several articles of the Criminal Code of the Russian Federation at once. Moreover, the same authorities want to equate ordinary hackers who break state systems and services with terrorists – according to current legislation, such criminals can be sentenced to life in prison.
According to Izvestia, in the very near future, a bill will be submitted to the State Duma that facilitates the activities of "white" hackers, whose symbol is a white hat, and legalizes them on the territory of Russia. This will not only simplify their lives – Russian companies will also get their own "buns", because they will be able to legally work with them, buying their services.
According to the publication, the bill, as soon as it becomes law, will allow "ethical" hackers to test systems and services for security against hacking and penetration. It is important to note here that nothing prohibits them from doing this now – moreover, there are several sovereign bug bounty sites in Russia, where companies and even state structures, such as the Ministry of Digital Resources, order the services of "white" hackers. Also among the customers are the largest Russian IT giants-Yandex, VK holding, Tinkoff Bank and Ozon marketplace, one of the authors of the bill, MP Anton Nemkin, told the publication.
However, at the same time, the very concept of "Bug bounty" (reward for finding "holes" and vulnerabilities in software) is absent in the legal field of the country, which makes the work of "white" hackers in Russia very risky. CNews wrote-they openly say that they are afraid of criminal prosecution.
Law from the ruling Party
The authors of the new bill, as Izvestia writes, are deputies from the United Russia faction. In developing the document, they were assisted by their colleagues from the New People faction.
The draft law is an amendment to the current Federal Law 16-FZ "On Information, Information Technologies and Information Protection". According to the deputies ' plan, the document will be considered by the lower house of parliament before the end of the spring session, but in 2024 it will end not in the spring or even in the beginning of summer, but only on August 9, 2024.
Among those who participate in the discussion of the document, there are also the Ministry of Digital Resources. Representatives of the department confirmed this fact to the publication.
The text of the bill describes the main scenarios of cooperation between companies with "white" hackers. This is both a direct contract and interaction through the bug bounty program.
Security forces are unhappy
It is important to note that the Russian security forces are against the legalization of" white " hackers. As reported by CNews, they united against this initiative at the end of 2023. The Ministry of Internal Affairs and the Prosecutor General's Office of Russia, as well as the Investigative Committee, jointly oppose the legalization of "white" hackers. All of them claim that there is no need to make any amendments to the Criminal Code of the Russian Federation that could legalize ethical hackers.
In fact, the security forces opposed the initiative of the Ministry of Digital Development – the agency in the spring of 2022 began to promote the idea of legalizing such specialists. In March 2022, it came up with an idea to financially support ethical hackers, and in July 2022, it received a proposal to legalize them.
The risks are not justified
In modern Russia, until the new bill becomes part of its legislation, "ethical" hackers take a lot of risks doing their job. They are constantly threatened with both criminal and administrative liability. This opinion is shared, among others, by Ilya Zharsky, Managing Partner of the Veta expert group.
He told the publication that it is best for" white " hackers to have all the necessary written hacking permissions from the owners of the system or service with whom they have agreed to cooperate. These documents will be very useful when law enforcement agencies become interested in hackers ' activities. According to Zharsky, the new bill will provide hackers and their clients with " more freedom to protect their systems and protect personal data of users, databases of government agencies and other businesses interested in these amendments," Izvestia writes.
Terrorists and millionaires
Currently, "white" hackers in Russia earn tens and hundreds of thousands of rubles, and sometimes millions – the amount of their fee primarily depends on the client's ability to pay. The risk of a vulnerability that hackers have found also plays a role – the more critical the "hole" is, the more they will usually be paid.
In 2023, VK Holding, formerly known as Mail.ru Group, paid "ethical" hackers more than 34 million rubles. for 1500 reports-experts were looking for gaps in most of the company's services, including Skillfactory, as well as in the smart column "VK Capsule".
Despite the fact that" white " hackers are still not legalized in Russia, domestic companies are increasingly willing to use their services and are ready to spend much more money on them than two years ago or even a year ago. A vivid example of this is the Internet giant Yandex, whose expenses for payments to "ethical" hackers reached 70 million rubles by the end of 2023 – this is more than twice as much as in 2022. In 2024, the Internet giant will pay hackers at least 100 million rubles.
Yandex even has its own program for encouraging "white" hackers called "Bug Hunting", in which, according to the results of 2023, almost 530 hackers took part. During the reporting period, they sent Yandex about 740 vulnerability reports, of which 378 were unique-the experts who found them received their money.
Also, "white" hackers cooperate directly with the state. As reported by CNews, in early 2023, the Ministry of Digital Development initiated a program to search for "holes" on the website of "Gosuslug". The project of the Ministry of Digital Development attracted more than 8.4 thousand white hackers from all over the country. Testing took place on the Bi.Zone Bug Bounty and Standoff 365 platforms, owned by Positive Technologies.
At the same time, hacking "State Services", even if agreed with the Ministry of Digital Development, can result in a life sentence for hackers. CNews wrote that in mid-March 2024, Deputy chairman of the State Duma Committee on Information Policy, IT and Communications Andrey Svintsov (LDPR party) personally suggested that hacking the websites of state agencies and state online services should be regarded as terrorism. The portal of state services, he cited as one example of state resources, for hacking which a cybercriminal should be qualified as a real terrorist.
At the time of the material's release, Svintsov's initiative remained at the level of an idea. But so far, there is a possibility that it will turn into a bill, and then into a law, and it cannot be ruled out that this will happen faster than the bill on the legalization of "white" hackers is signed."
