Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The Bug Bounty system is preparing for unification and new tariffs.
The Ministry of Digital Development is considering the possibility of introducing "state tariffs" for participation in the Bug Bounty program. This was announced at the SOC Forum 2024 by Deputy Minister of Digital Development Alexander Shoitov, writes Kommersant. According to him, the initiative is aimed at "normalizing the procedure", and at the moment many federal and regional authorities use such a program, but it is not yet mandatory, despite the proposals of a number of market participants. Shoitov stressed that it is necessary to prove its effectiveness and clarify the areas of responsibility of the parties involved in testing the systems.
In order to introduce Bug Bounty as a mandatory procedure, it must be normalized, in particular, state tariffs must be introduced, Shoitov added. According to a source in the cybersecurity industry, tariffs are understood as the regulation of payments to "white hat hackers" for identified vulnerabilities.
The Ministry of Digital Development clarified that the proposal to introduce tariffs is at the stage of development, and it is too early to talk about specific measures or details. Representatives of the ministry noted that various scenarios are now being discussed together with other departments and industry representatives.
Work on scaling the Bug Bounty program in the public sector has been underway since 2022, when there was an increase in cyberattacks on Russian IT systems, including state ones. One of the first participants were the Ministry of Digital Development and the State Services portal. In December 2023, the first bill regulating the activities of "white hackers" was submitted to the State Duma, and a second bill aimed at standardizing the testing of IT systems was developed. In the summer of 2023, participation in the Bug Bounty was included in the digital transformation rating for government agencies.
Experts note that the introduction of tariffs may play a key role in standardizing the Bug Bounty program, especially if it becomes mandatory for critical information infrastructure (CII) facilities and government agencies. The development of a grid of tariffs by federal districts is being discussed, and it is planned to establish separate prices for large all-Russian services, such as Gosuslugi. For example, for critical vulnerabilities at the level of federal districts, payments are expected from 30 to 50 thousand rubles, while for all-Russian services, the amount of rewards can reach up to a million rubles.
A number of experts positively assess the introduction of state tariffs, pointing out that this unifies the issue of payment for the detection of vulnerabilities, which is especially important for state systems where clear regulation is required. It is believed that the tariffs will be able to take into account not only the interests of the business, but also the expectations of third-party teams that participate in the Bug Bounty program and search for vulnerabilities in the infrastructure.
At the same time, there are opinions that a fixed price for detecting vulnerabilities can reduce the motivation of Bug Bounty participants if it does not correspond to the real scale of the identified problems and takes into account the dynamics of the information security market, where the cost of such services remains high.
Source
The Ministry of Digital Development is considering the possibility of introducing "state tariffs" for participation in the Bug Bounty program. This was announced at the SOC Forum 2024 by Deputy Minister of Digital Development Alexander Shoitov, writes Kommersant. According to him, the initiative is aimed at "normalizing the procedure", and at the moment many federal and regional authorities use such a program, but it is not yet mandatory, despite the proposals of a number of market participants. Shoitov stressed that it is necessary to prove its effectiveness and clarify the areas of responsibility of the parties involved in testing the systems.
In order to introduce Bug Bounty as a mandatory procedure, it must be normalized, in particular, state tariffs must be introduced, Shoitov added. According to a source in the cybersecurity industry, tariffs are understood as the regulation of payments to "white hat hackers" for identified vulnerabilities.
The Ministry of Digital Development clarified that the proposal to introduce tariffs is at the stage of development, and it is too early to talk about specific measures or details. Representatives of the ministry noted that various scenarios are now being discussed together with other departments and industry representatives.
Work on scaling the Bug Bounty program in the public sector has been underway since 2022, when there was an increase in cyberattacks on Russian IT systems, including state ones. One of the first participants were the Ministry of Digital Development and the State Services portal. In December 2023, the first bill regulating the activities of "white hackers" was submitted to the State Duma, and a second bill aimed at standardizing the testing of IT systems was developed. In the summer of 2023, participation in the Bug Bounty was included in the digital transformation rating for government agencies.
Experts note that the introduction of tariffs may play a key role in standardizing the Bug Bounty program, especially if it becomes mandatory for critical information infrastructure (CII) facilities and government agencies. The development of a grid of tariffs by federal districts is being discussed, and it is planned to establish separate prices for large all-Russian services, such as Gosuslugi. For example, for critical vulnerabilities at the level of federal districts, payments are expected from 30 to 50 thousand rubles, while for all-Russian services, the amount of rewards can reach up to a million rubles.
A number of experts positively assess the introduction of state tariffs, pointing out that this unifies the issue of payment for the detection of vulnerabilities, which is especially important for state systems where clear regulation is required. It is believed that the tariffs will be able to take into account not only the interests of the business, but also the expectations of third-party teams that participate in the Bug Bounty program and search for vulnerabilities in the infrastructure.
At the same time, there are opinions that a fixed price for detecting vulnerabilities can reduce the motivation of Bug Bounty participants if it does not correspond to the real scale of the identified problems and takes into account the dynamics of the information security market, where the cost of such services remains high.
Source
