In Russia, white hackers will be allowed to search for vulnerabilities

[Teacher]

Testing programs for vulnerabilities will become legal.

The State Duma Committee on State Construction recommended that the Duma adopt in the first reading a bill legalizing the activities of "white" hackers in Russia, RIA News reports.

The authors of the legislative initiative were representatives of the Digital Russia party project-deputies Anton Nemkin, Gennady Panin, Igor Markov, as well as members of the Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev. They propose to introduce a number of amendments to Article 1280 of the Civil Code of the Russian Federation.

Currently, "white" hackers need to get a lot of permissions from the owners of each program included in the information system to check the security of Russian companies ' systems. Conducting tests without such permission may lead to copyright infringement, with possible financial penalties ranging from 10 thousand to 5 million rubles or in the amount twice the cost of rights to use the program.

Based on this, the draft law provides for the possibility of studying, investigating or testing the functioning of programs by a person who lawfully owns a copy of a computer program or a copy of a database, in order to identify its vulnerabilities and correct obvious errors, the authors of the initiative noted.

At the same time, "white" hackers are required to inform copyright holders about all vulnerabilities found within five working days after their discovery, except in cases where it is impossible to establish contacts (location, place of residence or correspondence address) of the copyright holder. The adoption of the initiative will make it possible to conduct vulnerability analysis in any form, without the permission of the copyright holders of the corresponding program, including the copyright holders of infrastructure and borrowed components, the documents say.

Currently, according to the current legislation, it is possible to test the program only to ensure its overall performance and adapt it to your application needs, and the amendments help you focus on ensuring information security, said Gennady Panin, First Deputy Chairman of the Committee on Regional Policy and Local Self-Government, coordinator of the Digital Russia party project in the Moscow Region

The project is granted the right to make edits without the permission of the copyright holder of the corresponding program, including the copyright holders of infrastructure and borrowed components, and without remuneration to him. In other words, by legally owning the program, the user will not only be able to fine - tune the product, but also investigate from the security side-test how vulnerable it is, and make the necessary changes.

 

[Father]

"White hackers" will be given access to critical infrastructure of the Russian Federation

The State Duma Committee is preparing another bill aimed at legalizing the work of ethical hackers.

The State Duma Committee on Information Policy, IT and Communications is developing another bill aimed at legalizing the work of "white hackers", Kommersant reports. The initiative is an addition to the previous draft law proposed in December 2023, which concerned the possibility of companies to attract such specialists without specifying the mechanisms for organizing their work.

The new draft law proposes to amend article 16 of Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection". These changes should clarify the conditions under which companies, including those with the status of critical information infrastructure (CII), as well as various government agencies, can attract "white hackers" to cooperate and use penetration testing platforms such as Bug Bounty.

According to the document, organizations will be able to attract "white hackers" both directly under the agreement and through public offers to attract specialists. The government will have the power to "set requirements for the procedure and conditions" for conducting testing by "white hackers". They will apply to government agencies, including the subjects of the Russian Federation, local self-government bodies and CII subjects.

All testing activities will have to be coordinated with the federal security authority, presumably the FSB of Russia.

Legalization of the work of "white hackers" is being discussed from 2022 amid a sharp increase in cyber attacks on Russian IT systems. Initially, the idea raised questions from law enforcement agencies, but in December 2023, the first draft law was submitted to the State Duma (amendments to Article 1280 of the fourth part of the Civil Code of the Russian Federation).

As Anton Nemkin, a co-author of the project and a member of the State Duma Committee on Information Policy, IT and Communications, reported in December, the first draft law on "white hackers" changes the provisions of the law that do not allow such specialists to test information systems without permission from the copyright holder of each program.

Nemkin clarified to the publication that "the second draft is ready for submission, it is undergoing the last approvals." "We need to understand that now the legalization of "white hackers" is a necessity, since companies already use their services," he stressed. Nevertheless, Anton Nemkin clarified that the Russian Bug Bounty market (platforms for testing systems for penetration) is in its infancy and is still very small - its volume in 2023 did not exceed 200 million rubles.

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation told the publication that they have no information about another draft law on this topic.