Will white hat hackers soon come out of the shadows? Bug bounty bill on the way
The Federation Council wants to speed up the adoption of the law on white hat hackers.
The Council for the Development of the Digital Economy under the Federation Council has asked the Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation to expedite the preparation of a bill that will provide a legal basis for the activity of searching for vulnerabilities in software for a fee and establish the boundaries of responsibility for specialists in the search for vulnerabilities, also known as white hat hackers. About this TASS informed Deputy Chairman of the Digitalization Council Artem Sheikin.
According to the deputy chairman, who heads the section on technological sovereignty and information security of the Russian Federation, the idea of developing a bill that would introduce the concept of bug bounty (searching for vulnerabilities in software for a fee) into the legal field has been publicly discussed since the summer of 2022 and was being developed by the Ministry of Digital Development. The bill provides, in particular, for changes to Article 272 of the Criminal Code (CC) of the Russian Federation (illegal access to computer information).
“The movement of the bill was complicated due to the position of a number of departments, since the line between criminally punishable actions and legal ones, as well as between the responsibility of the researcher and the responsibility of the owner of the system is very shaky,” Sheikin explained.
According to him, the existing legislation on computer crimes is outdated, and it is necessary to modernize approaches and decision-making methodology. “In this regard, we put forward a proposal to define a new type of activity for finding vulnerabilities in software for a fee, as well as a proposal to define the limits of responsibility of specialists in the search for vulnerabilities on legal grounds. And we recommended to the Ministry of Digital Development to resume work on the development of a legislative initiative aimed at introducing into the legal field the activity of finding vulnerabilities in software for a fee and defining the limits of responsibility of specialists in finding vulnerabilities,” Sheikin said.
He noted that the goal of the bill is to legalize and simplify the activities of “white” hackers, “as this will activate those researchers who are afraid of any legal consequences.” “At the same time, there are possible provisions of the bill that may prevent specialists in the search for vulnerabilities. For example, if it contains provisions on the creation of a white hat hacker registry, licensing of individuals, then this will require researchers to come out of the shadows, to which many of them are definitely not ready for,” added the deputy chairman of the Digitalization Council.
He stressed that regulating the activities of vulnerability finders “will help them feel that they are protected in legal terms and increase their interest” in working in this area.