The adoption of the bill on “white hackers”, proposing to introduce the concept of bug bounty into the legal field and changes to the Criminal Code may be delayed due to the dissatisfaction of the FSB and the FSTEC. About it writes publication of Vedomosti, citing sources in cybersecurity companies and interlocutors familiar with the discussion of the bill.

Mintsifra since summer 2022 trying to enter in the legal field the concept of bug bounty. According to one of the interlocutors from the cybersecurity company, the bill involves changes to article 272 Criminal Code on illegal access to computer information. The maximum penalty under this article is seven years in prison. Liability arises if illegal access resulted in the modification and copying of computer information.

However, the promotion of the bill in its current form was suspended due to the position of the FSB and the FSTEC. According to a source from the newspaper, these departments oppose the liberalization of the provisions of the Criminal Code and expressed the corresponding position at one of the working meetings on the bill.

The publication sent inquiries to both departments, but the Ministry of Digital Development declined to comment.

Another source indicates that the position of the FSB and FSTEC was expressed by their employees at working meetings on the bill in the Ministry of Digital Development. According to one of the interlocutors, the line between criminally punishable actions and legal ones is “very shaky”, and “no one will change the Criminal Code.”

The publication also reports that now rewards for finding vulnerabilities in information systems are offered by three Russian companies: Positive Technologies, Synclit and BI.ZONE. Positive Technologies representative Artem Sychev emphasized that the draft law will allow “activating those researchers who are afraid of any legal consequences, and the company is participating in its discussion.

Luka Safonov, technical director of Synclit, also expressed the opinion that although his company did not participate in the discussion of the “white hackers” initiative, a bill aimed at regulating them is definitely needed. He noted that in addition to the criminal article 272 of the Criminal Code, “white hackers” may also face punishment under article 273 of the Criminal Code (“Creation, use and distribution of malicious computer programs”). Safonov believes that the initiative may meet opposition from law enforcement agencies “in terms of the possible legalization of computer crimes.” According to him, the bill may not suit the pentesters themselves – if it requires researchers to come out of the shadows, which many of them are definitely not ready for.

Lawyer Maxim Matsenko, head of the criminal practice of Vinder Law Office, believes that there are no problems with the vulnerability of “white hackers”. He explains that the participation of a hacker in a program to find vulnerabilities for money implies that the companies participating in the project voluntarily provide their networks for finding vulnerabilities, which completely excludes criminal liability, provided that the hacker does not go beyond his rights.