Bughunters Bug bounty Reward security researchers for discovered vulnerabilities

Main article: Bug (Bug) - a bug in a computer program

HackerOne

• HackerOne

2024

VK paid about 240 million rubles to security researchers

VK has processed over 18 thousand reports from baghunters and paid more than 236 million rubles over 10 years of the Bug Bounty vulnerability search program. The company announced this on April 16, 2024. Read more here.

The State Duma Committee approved amendments to the Civil Code of the Russian Federation aimed at legalizing "white" hackers

The State Duma Committee on State Construction and Legislation recommended that the House of Parliament adopt in the first reading the first of a package of bills aimed at legalizing the activities of "white" hackers in Russia. The authors of the bill - representatives of the party project "Digital Russia" Anton Nemkin, Gennady Panin, Igor Markov and the State Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev - propose to amend article 1280 of part four of the Civil Code of the Russian Federation. This was announced on March 25, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

To test the Russian the security of companies' systems, "white" hackers need to obtain a large number of permissions from the copyright holder of each program that is part of the information system. Testing without such permissions may result in copyright infringement. In this case, "white" hackers may be obliged to pay compensation in the amount of 10 thousand rubles to 5 million rubles, or in two times the cost of the right to use the corresponding program.

Based on this, the bill provides for the possibility of studying, researching or testing the functioning of programs by a person who rightfully owns a copy of the program for COMPUTER or copy in databases order to identify it vulnerabilities to correct obvious errors. Also, this process can be entrusted to other persons, subject to a number of conditions: identification of vulnerabilities is carried out exclusively in relation of computer program and database instances, operating on the technical means of the user; it is possible to transmit information about the identified gaps only to the copyright holder or to those who will eradicate these vulnerabilities, unless otherwise established by law.

According to the bill, "white" hackers must inform the copyright holder about the identified vulnerabilities within five working days from the date of their detection, except if it was not possible to establish its location, place of residence or address for correspondence.

The adoption of the bill will allow analyzing vulnerabilities in any form, without the permission of the copyright holders of the corresponding program, including the copyright holders of infrastructure and borrowed components.

It is important for government agencies and large corporations, which often themselves have their own staff of qualified IT specialists, to systematically attract "white" hackers as independent professionals. This is because they can, for their part, test the security of information systems using the same tools as their unethical counterparts. This is especially important when it comes to protecting huge amounts of personal data of citizens and access to key state systems and services - including in the context of external attacks on such resources that are unprecedented in scale and aggressiveness. Testing IT systems for strength, a "white" hacker acts on behalf and with the consent of the owner of such a system and does not commit anything illegal. Our goal is to ensure that this is enshrined in the legislation, and the specialists themselves received more freedom for their work for the benefit of the state, - said the deputy.

It is especially important to protect key government systems and services from unprecedented external attacks - in 2023, their number increased by 65% compared to 2022. Nevertheless, the Russian bug bounty market is in its infancy and is still very small - its volume in 2023 did not exceed 200 million rubles. This is partly due to the fact that in Russia there are certain risks to the work of "white" hackers, so they are in no hurry to get out of the shadows. We are trying to solve this problem with our bills. I am sure that when they come into force, the popularity of "white" hackers will multiply, - concluded Anton Nemkin.

The services of ethical hackers are already used by some companies. For example, Yandex in 2023 paid such specialists 70 million rubles for searching for vulnerabilities in services and infrastructure. In 2024, 100 million rubles will be allocated for these purposes. The company also holds contests to find specific types of errors, in which awards can increase 10 times compared to regular payments. At the same time, Yandex itself sees a concrete benefit from holding such contests - they help focus the attention of "white" hackers on the most important areas of security for the company. For example, one of these contests was held specifically to search for vulnerabilities that could lead to data breaches. They also run their programs,, Ozon VK"."Tinkoff

Yandex has increased the reward for bug hunters in smart devices to a million rubles

Yandex has expanded the Bug Hunt program for smart devices, adding changes to it in 2023 - Duo Max Station, Midi and TV Stations. The maximum amount of remuneration for the vulnerabilities found increased from 600 thousand to a million rubles. This will help attract more "white hackers" to test the devices for strength. Yandex announced this on February 7, 2024. Read more here.

2023

In 2023, Yandex paid 70 million rubles to ethical hackers

In 2023, Yandex paid 70 million rubles to participants in the Hunt for Errors program. It is dedicated to finding vulnerabilities in the company's services and infrastructure. Yandex announced this on March 12, 2024. Compared to 2022, the total amount of payments almost doubled. This is due to the launch of competitions in various areas of "Hunting" with increased payments, an increase in awards and an increase in the number of program participants. In 2022, Yandex paid researchers about 40 million rubles. Read more here.

Positive Technologies Launches Its First Bagbounty Product Program

Positive Technologies launched its first bagbounty product program. The company announced this on December 20, 2023. Read more here.

The Prosecutor General's Office and the Ministry of Internal Affairs oppose the legalization of "white"

On November 28, 2023, the Prosecutor General's Office, the Ministry of Internal Affairs and the Investigative Committee announced that they did not support the initiative to legalize "white" hackers in Russia. Law enforcement agencies fear that such a practice will complicate the prosecution of real cybercriminals.

We are talking about amending the Criminal Code, which can legalize the creation and use of malicious software by ethical hackers on the instructions of the customer. Such specialists can be rewarded by companies to search for vulnerabilities in their information systems and software (bug bounty concept). The bill provides that "white" hackers will be able to study and test products for weaknesses and at the same time will have to report the found "holes" to the software copyright holder without fail. In addition, the government will have the right to establish requirements for identifying vulnerabilities (now they are determined by the actual customer of the bug bounty program).

The prosecutor's office, the Ministry of Internal Affairs and the UK opposed the legalization of "white" hackers

On the one hand, the proposed amendments will help improve the situation in the field of cybersecurity. According to Vladimir Bengin, director of product development at Solar Security, more than 50% of Russian ethical hackers do not enter the legal field, because they fear criminal prosecution. Legalization of the activities of such specialists will eliminate this obstacle. In addition, a platform can be created that will simplify the interaction of "white" hackers with companies.

But, on the other hand, the power structures believe, changes in legislation can be used by attackers. For example, real cybercriminals will be able to present documents on the conclusion of a contract for testing hacked InformSystems in order to prove their innocence. In such cases, proving malice will be problematic.^[1]

The Ministry of Digital Development of the Russian Federation is preparing a permanent program for searching for vulnerabilities in the electronic government

The Ministry of Digital Development of the Russian Federation is preparing a permanent program for searching for vulnerabilities in the electronic government. The plans of the department became known on November 9, 2023.

On this day, the Kommersant newspaper, citing sources in the IT market, wrote that the Ministry of Digital Development by the end of 2023 will launch the Bug Bounty program (testing information systems by "white hackers" for vulnerabilities) for 9 of its own services, including the Unified Biometric System (EBS), the Unified Identification and Authentication System and the Unified Regulatory Reference Information System.

Ministry of Digital Development will launch a vulnerability search program in e-government

The Ministry of Digital Development launched the first Bug Bounty initiative at the Public services in partnership with Positive Technologies (Standoff 365 Bug Bounty) and BI.Zone (BI.Zone Bug Bounty), they lasted three months. The new program is planned for a year with the same partners, informed interlocutors told the newspaper.

According to the director of the Center for Countering Cyber ​ ​ Attacks Solar JSOCVladimir Dryukov (participates in testing together with RostelecomInformation Security), the first Bug Bounty project was a test, with a limited period and number of systems for research, now the program will be launched on an ongoing basis.

The publication of Kommersant notes that the Ministry of Digital Development has become the only government agency that has tested the search for vulnerabilities by white hackers on their own systems. According to experts interviewed by the publication, such experience should be expanded to the services of other departments. However, by November 2023, it is premature to spread the initiative in a wide range partly due to the lack of technical and financial resources for a comprehensive analysis of vulnerabilities, as well as a possible shortage of personnel, said Artem Sheikin, deputy chairman of the council for the development of the digital economy under the Federation Council.^[2]

Ministry of Digital Development shared the results of bug bounty of Public services and ESIA

The Ministry of Digital Development at the TAdviser SummIT conference Cybersecurity in October 2023 revealed the current results of the program for commercial search for vulnerabilities (bug bounty) in the services of the Public services and the ESIA. At the moment, within the framework of the study, which will last from February 2023, 37 vulnerabilities were identified, for which 1.95 million rubles were paid . The payment was made by Rostelecom, the operator of both services. The program of open testing of sites first by Public services, and then by ESIA was initiated by the Ministry of Digital Development on February 10 on two domestic platforms BI.ZONE Bug Bounty and Standoff 365. To date, more than 8 thousand specialists have taken part in the study, who have provided a total of 187 reports.

The research experience was recognized as successful, - said Yevgeny Khasin, deputy director of the cybersecurity department of the Ministry of Digital Development. - For such money, we could not find such vulnerabilities before. During the study, architectural vulnerabilities were also identified. In addition, the process of informing FSTEC about the discovered vulnerabilities was worked out. For us, this is the cheapest way to find vulnerabilities and check the operation of our SOC

It is clear that when testing such a high-load system for researchers, rather strict requirements were established: not to disrupt the functioning and availability of GIS, not to use physical penetration into the infrastructure, not to apply social engineering practices and hacking user accounts, not to move into the internal perimeter, not to download data from the system and not distort them. Payments were made only if all these requirements were met.

Results of the commercial vulnerability search program for Public services and ESIA

According to Yevgeny Khasin, commercial vulnerability search programs have serious advantages over the classic penetration test (pentest), which have previously been used to verify the security of these government services. In particular, it works continuously, in contrast to the pentest, which has to be carried out regularly. The study involves an unlimited number of researchers, so it is not limited to the qualification of a single pentester or company. Payment is made for a really confirmed vulnerability - this is monitored by the platform organizing and controlling the process of searching for vulnerabilities. As a result, for well-protected resources, payments for discovered vulnerabilities are cheaper than regular rather expensive pentests.

Ministry of Digital Development plans to launch bug bounty programs

In 2023, Ministry of Digital Development plans to launch vulnerability search programs for a reward for 20 information systems. In addition, it is planned to expand the powers of applicant researchers.

The effectiveness of this practice has been proven, it finds its application not only in the work of the Ministry of Digital and Government Agencies, but also in business. In general, such an analysis of the security of information systems should be carried out on a regular basis, "he explained.

Evgeny Khasin said that at the beginning of 2023 the program was already tested on Public services. As a result, the total amount paid to white hackers amounted to about 2 million rubles. {{quote 'The work was carried out by the Ministry of Digital Development together with Rostelecom. The bug bounty platform for public services was provided by Positive Technologies and BI.ZONE, a ministry spokesman explained. }}

At the same time, such events served as some incentive for the development of the information security industry. Especially in the context of integrating new, successful international practices, the same white hackers. At the level of individual companies, an understanding has been reached that white hackers should become part of the policy to ensure information security, the deputy said.

It should be understood that modern cybersecurity is not only about the implementation of regulatory practices, which are determined, for example, by FSTEC, but also about constant self-verification. Attacks on software solutions and infrastructure occur constantly, so protection must become constant and continuous. The state is also aimed at the systematic development of this industry. Therefore, the issue is being worked out both in the Ministry of Digital Science and in our committee. There are two main areas of activity here: on the one hand, this is the creation of platforms on which such practices will be implemented, and on the other hand, a lot of work to popularize the direction among business and government agencies, the parliamentarian said.

Innostage protects clients from invalid events

Innostage announced on September 22, 2023 that it would check the level of protection of its own information infrastructure using the bug bounty program. Read more here.

Import substitution of "white hackers." The main trends of Bug Bounty in Russia have been identified

The pioneers in the use of bug bounty were large companies from the financial sector, retail, IT. Now both medium and even small businesses come to the conclusion that this is an effective security analysis tool . This trend is noted in BI.Zone, which on August 24, 2023 summed up the work of its BI.Zone Bug Bounty platform for the year.

Another trend is the public sector's interest in bug bounty. Now on the BI.Zone Bug Bounty platform there are information systems from this area. Largely due to the fact that the Ministry of Digital Development drew attention to this security analysis tool, its development received an impetus in the public sector. First, the bug bounty program for "Public services" was launched in test mode. And now a large number of other bug bounty programs are being prepared, which will later be published, said Evgeny Voloshin, director of strategy at BI.Zone.

There is some specificity in working with this segment compared to business. In general, administratively for the bug bounty site, working with the public sector is a little more difficult due to the formalization and bureaucratization of processes, explained Evgeny Voloshin, answering TAdviser questions. At the same time, he noted, everything is going very cheerfully with the Ministry of Digital Development.

Ramazan Ramazanov, Baghunter, Head of External Pentest Department at DeteAct (provides services for analyzing application security, infrastructure penetration testing, architecture security audit), believes that "white hackers" and he personally have some concerns when working with the state: "initially, many thought that they could show 'mask show'," so there is some alertness.

Bug bounty in Russia is rapidly gaining popularity

Among the trends in the Russian bug bounty services market in BI.Zone, they note that the community has become accustomed to domestic sites. In 2022, foreign bug bounty platforms, including the most popular - HackerOne - abruptly stopped operating in Russia. And foreign baghunters "fell off" for Russian companies, including due to problems with payments due to sanctions. Against this background, similar Russian platforms began to actively develop.

Both last year and in 2023, there are three main players here: the Bugbounty.ru platform, which is being developed by Sinclit and which was launched earlier than others, Standoff 365 Bug Bounty from Positive Technologies and BI.Zone Bug Bounty from BI.Zone.

On the BI.Zone Bug Bounty platform, which started in August 2022, as of August 2023, 17 companies and 51 public programs are represented, Evgeny Voloshin cited data.

Among the clients are such companies as Tinkoff, Avito, VK, Ozon, SberAvto, SberMarket. One of the latest public bug bounty program was launched by Astra Group to search for vulnerabilities in its Astra Linux OS. And one of the users of non-public programs in BI.Zone is called Sberbank.

Evgeny Voloshin, in a conversation with TAdviser, noted that from what can be seen now, about half of the user companies of their platform also use one or two more bug bounty platforms from those on the market.

Tinkoff, for example, is now presented at all three Russian sites after HackerOne, which it previously used, left Russia. Dmitry Gadar, vice president, director of the Tinkoff information security department, says that in the first half of 2023, in terms of the number of monthly vulnerability reports, their company has already reached the level that it was until February 2022. And in terms of the total number of reports for the six months of 2023, Tinkoff has already 3 times exceeded the number of such for the entire 2022.

It seems that the trend is as positive as possible, and we are returning to the state in which we were at international venues, - notes Dmitry Gadar.

The total number of "white hackers" participating in bug bounty programs on Russian sites, while it is estimated at about 4 thousand people. This is significantly less than was generally available to Russian customers earlier, when their systems could be "broken" by experts from all over the world at international sites. The attraction of foreign baghunters is now proceeding at a rather slow pace. At the same time, in previously published statistics from international sites, Russia was listed among the leading countries in terms of the number of baghunters.

Over the year, BI.Zone Bug Bounty paid "white hackers" more than 15 million rubles for the vulnerabilities found. Of all the "finds," 13% are critical vulnerabilities and a high degree of seriousness - i.e., those that can lead to a shutdown of a business or service, theft of data or money. In some cases, when implementing such vulnerabilities, the business could suffer billions of dollars in losses, says Evgeny Voloshin.

Yandex has opened a hunt for hackers for special "holes" in its services, the maximum reward is 2.8 million rubles

Yandex is launching a competition in the Bug Hunt program, in which ethical hackers will have to look for errors and vulnerabilities in Yandex services that can lead to the disclosure of sensitive information. The maximum reward for a critical vulnerability will be 2.8 million rubles - this is 5 times more than the usual payment for these categories of the program, Yandex representatives shared with TAdviser on August 1, 2023. Read more here.

"White" hackers found 34 vulnerabilities of the public services portal - "a lot of interesting things"

On May 19, 2023 , the Ministry of Digital Development announced the results of the bug bounty program on the portal of public services, which was launched in early February. According to the ministry, more than 8.4 thousand bug bounty participants from all over Russia checked the security of the portal and fought for remuneration. In total, 34 vulnerabilities were discovered, most of which were with a medium and low level of criticality.

For critical vulnerabilities, cash payments of up to 1 million rubles were provided, depending on the level of criticality of the vulnerability found. As a result, the maximum payment for the found bug amounted to 350 thousand rubles. minimum - 10 thousand rubles.

More than 8.4 thousand baghunters took part in checking the security of the public services portal "(photo - akket.com)"

Testing took place on the BI.Zone Bug Bounty and Standoff 365 platforms. The project was sponsored by Rostelecom, RTK-Solar is the information protection operator of the public services portal.

Baghunters did not have access to internal data, they say in the Ministry of Digital Development. Participants worked only on the outer perimeter, and the vulnerabilities found were completely controlled by monitoring systems so that they could not be used for hacking.

We had a hypothesis that if we carry out a bug bounty, then for a fairly small amount of allocated funds we will be able to radically increase the level of security, find many vulnerabilities, and nothing bad will happen. We coordinated it for a long time and talked it out with other regulators, because everything new causes a lot of risks and fears, "said Vladimir Bengin, director of the Ministry of Digital Development cybersecurity department at PHDays on May 19. - Today we believe that the first stage of bug bounty is finished by the Ministry of Digital Development, and it passed categorically successfully.

Vladimir Bengin added that the monitoring systems regarded any study as a standard attack, without distinguishing researchers from attackers - there was technically no such possibility. And the department was sure that in fact vulnerabilities would not be found at all or would be found, but not much.

But no, we found a lot of interesting things - several dozen vulnerabilities of different criticality. Some have already been eliminated, some have been leveled, - said the director of the cybersecurity department of the Ministry of Digital Development.

This is a complex procedure, where you need to work out a lot of nuances clearly. The most difficult thing was to build a system work on working out reports, because a large number of hackers were involved, and many messages were received from them. And for each vulnerability in the department, they were forced, when they confirmed and understood that such a vulnerability really exists, to take all monitoring systems and check historically whether there were facts of triggering earlier, whether anyone exploited this vulnerability.

This is hard work, but super useful, - said Vladimir Bengin.

The Ministry of Digital Development plans in the future to continue to conduct bug bounty "Public services," as well as expand the program to other departments.

Ministry of Digital Development of very few "white" hackers in Russia

In mid-April 2023, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation reported a small number of so-called "white" hackers ("pentesters") in the country, so the business decided to launch training programs for such specialists.

By the way, we have very few pentesters in the country. Over the past year, all top teams have been busy and not only top teams, but also small teams, they also say very small ones - all orders have a lot. And, it turns out, we have few hackers. Therefore, they launched several trainings. Thanks for this to the companies, - said Vladimir Bengin, director of the Ministry of Digital Development cybersecurity department, at one of the forums on April 14, 2023.

Business decided to launch training programs for "white" hackers

According to him, over the past four months, two or three new courses have appeared. He added that the Ministry of Digital Development is in favor of training "white" hackers "in the industry."

"White" or "ethical" hackers are cyber intruders who use their skills for good. They help developers look for gaps in their products, but by no means free of charge. The symbol of this movement is the white hat, where the name of the "white" hackers came from. Earlier it was reported that Ministry of Digital Development is working to legalize the activities of "ethical" hackers. As Vedomosti wrote, the ministry considered the possibility of introducing the concept of bug bounty into the legal field.

This is due to the fact that the concept of bug bounty does not appear in the current Russian legislation, that is, such hackers can at any time test the quality of execution in Russia of the punishments provided for by the criminal code.

In March 2023, Secretary of the Security Council of the Russian Federation Nikolai Patrushev called on departments to minimize the risks of information leaks. He noted that it is worth taking into account the increased danger of harm to the Russian information infrastructure, the possibility of blocking, destroying and compromising it and strengthening the protection of the domestic digital space.^[3]

FSB and FSTEK turned out to be against the bill on "white hackers"

The Federal Security Service (FSB) and the Federal Service for Technical and Export Control (FSTEC) were against the bill on "white hackers" due to the provisions of the Criminal Code related to unlawful access to information. In this regard, the adoption of the initiative may be postponed, Vedomosti writes in the issue of March 27, 2023.

The bill refers, in particular, to changes in Art. 272 of the Criminal Code of the Russian Federation "Illegal access to computer information," a source in one of the cybersecurity companies familiar with the document told the publication. This article implies illegal access to legally protected computer information, if these actions entailed, in particular, modification and copying of this information. The maximum liability under this article is seven years in prison, the newspaper notes.

The adoption of the bill on "white hackers" may be postponed due to objections from the FSB and FSTEC

According to one of Vedomosti's interlocutors, the FSB's position FSTEC was expressed by their employees at working meetings on the bill c. Ministry of Digital Development According to one of the interlocutors, the line between criminal actions and legal ones is "very shaky," and "no one will change the Criminal Code."

According to lawyer Maxim Matsenko, head of criminal practice at Vinder Law Office, the problem of vulnerability of "white hackers" does not exist. The hacker's participation in the vulnerability search program for money suggests that companies participating in the project voluntarily provide their networks to search for vulnerabilities, he explains. This completely excludes criminal liability, provided that the hacker does not go beyond his rights, the lawyer noted.

According to lawyers interviewed by the newspaper, by March 2023, the Criminal Code of the Russian Federation has a number of articles under which the activities of white hackers may fall. Among them are "illegal access to computer information," "creation, use and distribution of malicious computer programs," "violation of the rules for the operation of means of storing, processing or transmitting computer information."^[4]

The program for searching for "holes" in "Public services" is open. White hackers are ready to pay up to 1 million rubles for the vulnerability found

As previously predicted by TAdviser sources in the information security market (see publication in the block below), in the week of February 6-12, 2023, the Ministry of Digital Development launched a project to search for vulnerabilities in Public services and other e-government resources. It was announced, in particular, on February 10. Third-party baghunters will check the security of e-government for the first time.

The program will take place in several stages. At the first stage, which will last 3 months, independent researchers will check the Public services portal and the Unified Identification and Authentication System (ESIA). In the next stages, the list of resources will be expanded, and the conditions will be updated.

Ministry of Digital Development announced the bug bounty program for "Public services" "(image: Ministry of Digital Development)"

The prize fund of the program is 10 million rubles. It is sponsored by Rostelecom, which is responsible for operating the e-government infrastructure.

The reward for baghunters depends on the degree of vulnerability found:

• low - gifts with project symbols;
• average - up to 50 thousand rubles;
• high - from 50 to 200 thousand rubles;
• critical - up to 1 million rubles and gratitude from the Ministry of Digital Development team.

Testing is available on BI.ZONE and Positive Technologies platforms.

Citizens of Russia can take part in the programs. The age of participants on BI.ZONE Bug Bounty is from 18 years old, on Standoff 365 Bug Bounty you can participate from the age of 14, if there is written consent of parents.

The task is to find bugs and transfer them to the Ministry of Digital Development. The logic and ways of hacking will be monitored by the project curators.

To participate, you need:

• Register on the selected platform;
• Read and agree to the terms of the program;
• Find the vulnerability without breaking the rules;
• Send vulnerability information through the platform;
• Wait for confirmation of the vulnerability from the Ministry of Digital Development.

In 2022, the number of attempts to hack government resources increased by 80% compared to 2021. The Ministry of Digital Development invites baghunters to join the program in order to work out new hacking scenarios and find the maximum security vulnerabilities, the program description on Public services says.

The state program for searching for vulnerabilities starts. White hackers will look for "holes" in "Public services" and ESIA

In the week of February 6-12, 2023 , Ministry of Digital Development expects to launch the bug bounty program to search for Public services vulnerabilities. In early February, TAdviser was told about this by three sources in the information security market and confirmed by a source close to the Ministry of Digital Development.

It will be launched, in particular, on the resources of information security companies Bi.Zone and Positive Technologies, which already have bug bounty platforms according to the developed rules and standards.

TAdviser has contacted all of the above organizations for comment, but they are not yet ready to say anything.

The Ministry of Digital Development within the bug bounty for "Public services" will be provided by site providers free of charge. According to TAdviser, "white hackers" will look for vulnerabilities, including in the unified identification and authentication system in the infrastructure of the electronic government of the Russian Federation (ESIA), which provides access to state resources.

To conduct bug bounty for state information systems, many legal points need to be resolved "(photo - cisomag.com)"

Recall that in October at the TAdviser IT Government Day conference, Minister of Digital Development Maksut Shadayev spoke about plans to hold a bug bounty on Public services . The agency hoped to announce and hold it by the end of 2022.

A source close to one of the companies participating in the project says that some delay is due to the fact that in order to conduct the program it was necessary to deal with a lot of legal nuances.

According to him, one of the ideas discussed is to make bug bounty a mandatory norm when putting state information systems into operation after the "run-in" on the "Public services." But this, most likely, will not happen quickly: in this case, a more complex procedure for coordinating with the FSTEC and clarifying legal points will be required, including how owners of state information systems will be able to pay for such services.

The corresponding rule on bug bounty may be further included in the Decree of the Government of the Russian Federation of July 6, 2015 N 676 "On Requirements for the Procedure for the Creation, Development, Commissioning, Operation and Decommissioning of State Information Systems and Further Storage of Information Contained in their Databases," added the interlocutor of TAdviser.

2022

VK paid white hackers more than 37 million rubles

For 2022, in which the VK bagbount program began to be implemented on a domestic platform, the company paid a total of more than 37 million rubles to white hackers. At the same time, the strategic goal of the IT company is to ensure the full integration of baghunters into the information security architecture due to the effective results of such programs. Read more here.

The Ministry of Digital Development will check the security of Public services at two sites at once, but it will not pay white hackers

As it became known at the end of October 202, Ministry of Digital Development plans to check the security of Public services at two sites at once, but the department will not pay white hackers.

As Vedomosti writes with reference to representatives of Positive Technologies and Cyberpoligon, these companies are involved in the Ministry of Digital Development to search for vulnerabilities on the State Public services portal. By the end of October 2022, the department is coordinating a general concept with other executive authorities, the Ministry of Digital Development told the newspaper.

The Ministry of Digital Development will check the security of Public services

It is assumed that monetary rewards for white hackers will still be provided, but directly from the sites themselves as part of increasing the experience of experts and checking the level of security of Public services.

The representative of the Ministry of Digital Development explained to the newspaper that at this stage this is an initiative of the information security companies themselves, which at the current stage does not provide for monetary remuneration from the department, and access to this program will be open to all participants on equal terms.

At the same time, the Ministry of Digital Development noted that such initiatives by industry players, their readiness for work are "another indicator of the responsiveness of the IT community and its involvement in the digital security of the state."

Participants in the information security market interviewed by the newspaper believe that researchers will not work for free, or in this case they will still find a way to monetize information about the problems found, for example, they will sell reports on vulnerabilities on the darknet. To minimize these risks, the heads of bug sites will pay small amounts themselves, and white hackers will gain experience and increase their personal rating on the platform for detecting vulnerabilities in this case.

On October 5, 2022, the head of the Ministry of Digital Development of the Russian Federation Maksut Shadayev announced the holding of the Bug Bounty program for the State Public services portal by the end of the year in order to encourage specialists in finding errors in service systems.^[5]

Bug Bounty in Russia: market condition and prospects. TAdviser Overview

The popularity of bug bounty programs is growing in the world, during which the company attracts third-party security specialists - the so-called "white hackers" - to test their software for vulnerabilities for reward or other "buns." Unlike pentests involving contractors, in the case of bug bounty, payment is for vulnerabilities discovered, and not for the time spent by an information security specialist. In Russia, interest in this practice is also increasing, and not only from the side of the business, which previously began to resort to bug bounty, but also appears from the public sector. TAdviser examined the current state and prospects of this market and prepared an appropriate review. The partner of the material was Positive Technologies. Read more here.

VK paid safety researchers three million rubles

On October 18, 2022, VK announced that it had received 300 vulnerability reports from external experts for three months of the bug bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. VK experts recognized more than half of the messages as significant, the vulnerabilities identified on their basis were eliminated. At the same time, more than 50 security researchers received a reward totaling three million rubles. Read more here.

BI.Zone introduced the BI.Zone Bug Bounty vulnerability search platform

On August 25, 2022, BI.Zone (Secure Information Zone, Bison) introduced the Bug Bounty platform, on which more than 300 baghunters were pre-registered. Avito will be the first company to host its public bug bounty program. Read more here.

VK joins Positive Technologies' vulnerability search platform The Standoff 365

On August 8, 2022, VK announced its participation in The Standoff 365 Bug Bounty platform, developed by Positive Technologies. The IT company has placed a bug bounty program on the platform, which, with the help of external experts, helps to find flaws in the security system and fix them before being discovered by attackers. Read more here.

Ministry of Digital Development legalizes state payments to white hackers

On July 17, 2022, it became known about the decision Ministry of Digital Development RUSSIAN FEDERATION to legalize the so-called white hackers who earn money by searching for vulnerabilities in IT systems.

As they write Sheets"" with reference to a source in one of the Russian tool development companies, cyber security Ministry of Digital Development it will enshrine in the legislation the concept of bug bounty (payment of remuneration for discovering vulnerabilities) and launch a bonus program for them. Thus, white hackers can be involved in the analysis of vulnerabilities in information government systems, while they will avoid accusations of "improper access to computer information," the publication says.

Ministry of Digital Development plans to legalize white hackers

Experts interviewed by the publication believe that the legal definition in the legal field of action of pentests that analyze systems for vulnerabilities, as well as programs for paying remuneration to hackers for detecting vulnerabilities, by analogy with foreign bug bounty, will legalize the actions of white hackers and enable them to use and refine special software tools as part of strengthening cybersecurity mechanisms. Market representatives believe that by July 2022, it will be easier for many companies to contact the police and start a criminal case against the hacker, and not pay him for the problems found.

The legally enshrined concept can become one of the standards for assessing the real security of organizations both commercial and state, said Yaroslav Babin, project manager at The Standoff from Positive Technologies.

In April 2022, against the background of the county of IT specialists from Russia, after the start of a special operation in Ukraine, Ministry of Digital Development made a proposal to consider the possibility of direct financial support for white hackers. Representatives of the ministry then put forward an initiative to allocate funds for the so-called pentests (analyzing systems for vulnerabilities) and bug bounty programs, when a reward is paid for detecting vulnerabilities.^[6]

In Russia, a platform is being created to pay hackers for finding holes in software

After the international platform for finding vulnerabilities HackerOne stopped paying fees to Russian and Belarusian hackers, the Russian Federation thought about creating alternative sites. One of these company "Cyberpoligon" will be launched on April 1, 2022, as it became known the day before. Read more here.

Apple paid a record $100,000 to a student who hacked a computer webcam

At the end of January 2022, Apple paid a $100,000 error reward after a cybersecurity student who successfully hacked an iPhone camera in 2019 did the same with a Mac computer. Read more here.

2021

Bug bounty programs up 34%

Positive Technologies announced on October 26, 2022 that it had analyzed large and active bug bounty platforms around the world. Experts noted that the most popular platforms were among IT companies (16%), online services (14%), the service sector (13%) and trade (11%), financial organizations (9%). This global trend is generally correlated with the Russian one.

In 2021, the number of bug bounty programs, according to HackerOne, increased by 34%, and security researchers identified 21% more vulnerabilities. According to experts, by 2027 the bug bounty market could grow to $5.5 billion.

According to Positive Technologies, the leader in the number of large bug-bounty platforms is the Asian region, which hosts 38% of the analyzed resources. In second place is the European region, including Russia: here is a third of the platforms studied, including some of the largest, for example, Inturiti, YesWeHack, Zerocopter and Standoff 365 Bug Bounty. The share of platforms in the North American and Middle East regions was 21% and 8%, respectively.

Launch a program to pay $5,000 for found holes in their IT systems

On December 14, 2021, the US Department of Homeland Security (DHS) announced the launch of a program in which it offers a monetary reward for finding flaws and vulnerabilities in its IT systems. Read more here.

Hacker programs have fallen in price on the black market

In early July 2021, it became known about a decrease in the black market cost of hacker programs (the so-called exploits) used to search for vulnerabilities in systems from different manufacturers. This trend was reported by Trend Micro, a company specializing in creating information security products . Read more here.

Mail.ru Group paid another bonus to the researcher in the amount of $40,000

VK (formerly Mail.ru Group) paid another bonus to the researcher in the amount of 40,000. dollars This became known on July 8, 2021. The total amount of remuneration that the company paid under the program exceeded $2 million.

The Mail.ru Group vulnerability search program has been running on the HackerOne cybersecurity expert platform since 2014. It helps researchers find security flaws and fix them before attackers detect them. The large-scale program covers almost all projects of the VK ecosystem (which is being developed by Mail.ru Group), allowing to increase their security.

The amount of reward for the discovered vulnerability depends on its criticality. Payments range from $150 to $40,000, and the most expensive vulnerability declared in the program is estimated at 55,000 - one of the highest rates in the IT market.

Mail.ru Group pays remuneration to researchers every week.

In total, nearly 5,000 reports from just over 3,400 security researchers have been accepted since launch.

Vulnerability scanning is an important security tool that we are actively using. This is akin to regular medical examination: the more often you go to experienced doctors, the more chances that all possible health problems are caught at an early stage and do not lead to a crisis. The best experts from all over the world cooperate with us. They help us detect the slightest security threats and receive a well-deserved reward for this - not only money, but also recognition in the community. We are working to eliminate all discovered vulnerabilities as quickly as possible, which allows us to maintain a high level of security of our products, "said Alexey Grishin, head of the vulnerability search program, Mail.ru Group[7].

Cyber ​ ​ fraudsters began to attract "white hackers" to work under the guise of information security companies

In April 2021, it became known that the international hacker group FIN7 began to invite "white" hackers(pentesters, specialists in analyzing the security of information systems) to work under the guise of Check Point Software Technologies and Forcepoint, specializing in. information security The hired specialists do not suspect that they are working for cyber fraudsters, said the head of the expert services block Bi.Zone Yevgeny Voloshin in a conversation with "."Businessman

Bi.Zone said that FIN7 has developed a program that disguises itself as a tool for analyzing the security of networks. Windows Now cyber fraudsters are attacking large companies, USA pretending to be a legal organization by. cyber security

International hacker group FIN7 began to involve "white hackers" under the guise of information security companies

Positive Technologies described another scheme of attack on "white hackers": members of the North Korean cybercriminal group Lazarus got acquainted with them on social networks and instant messengers, after which they sent a link to an article in the blog. If the victim used the Google Chrome browser, when going to the blog, her computer was infected through the exploitation of a zero-day vulnerability. This allowed attackers to find valuable information on the computers of "pentesters."

The head of the Check Point representative office in Russia and SNGVasiliy Diaghilev confirmed the existence of a problem in which cyber fraudsters attract "white hackers," pretending to be a legal company. According to him, the attackers expect to take advantage of the credulity of companies that seek to save money on conducting a normal pentest, "the name of a well-known brand allows them to gain confidence." During a penetration test or as a result of successful detection of security holes, specialists often receive a high level of privileges to access the system.^[8]

2020

$35K for Vulnerability Scanning

At the end of November 2020, the Ministry of Digital Transformation of Ukraine announced a program to pay rewards for finding vulnerabilities in the unified system of electronic public services "Diya." This was reported by the press service of the department on Facebook and its head of the department, Mikhail Fedorov , on Telegram. Read more here.

Microsoft has increased payments for searching for vulnerabilities in its software by 3 times

In early August 2020, it became known that it Microsoft spent about $13.7 million for fiscal year 2020 for reporting security errors in its software. This figure is three times the amount received by researchers ON a year earlier ($4.4 million).

Microsoft's software bug detection awards are one of the largest sources of financial rewards for hackers and researchers who examine software for security threats and report them to a vendor rather than selling them to cybercriminals through underground markets. Microsoft has created 15 incentive programs, thanks to which specialists were able to earn $13.7 million for the period from July 1, 2019 to June 30, 2020.

Researchers who devote time to detecting security problems before attackers can use them deserve our respect and gratitude, the Microsoft Security Response Center said.

Microsoft tripled the reward for finding vulnerabilities in its software

Microsoft's total annual payments in this area far surpass Google's awards, which the company provides for identifying vulnerabilities in its software - only $6.5 million. However, even this figure is double the payments of the search giant for 2019. Microsoft says the higher total payments in 2020 are driven by the launch of six new rewards programs and two new research grants. They attracted more than 1,000 reports from more than 300 researchers. Microsoft also suggests that social distancing during the COVID-19 pandemic has caused a surge in security research.

During the first few months of the pandemic, we saw an active increase in program participants and an increase in the number of reports on all 15 reward programs, Microsoft said.[9]

Apple paid IT specialist $100,000 for vulnerability found

At the end of May 2020, it became known that Indian information security specialist Bhavuk Jain received $100,000 from Apple as a reward for discovering a serious vulnerability in the company's product.

The expert identified a problem in the Sign in with Apple authorization system, which is designed to preserve privacy and control personal data. When you log in for the first time, programs and websites can only request the user's name and email address to set up your account.

Login with Apple could be used to hack accounts

During authentication using the "Login with Apple" function, the JWT token is generated, which contains confidential information used by a third-party application to confirm the identity of the logged-in user. Exploitation of the vulnerability Jain found allowed an attacker to fake a JWT token associated with the identifier of any user. As a result, an attacker could be able to log in through the "Login with Apple" function on behalf of the victim in third-party services and applications that support this tool.

According to Jain, the vulnerability was contained in the way in which the user was verified on the client application side before the request was initiated from Apple authorization servers. 

Bhavuk Jain discovered the vulnerability in April 2020 and reported it to Apple. The company told the expert that they had conducted an internal investigation and found out that before the vulnerability was eliminated, not a single case of account hacking was recorded.

Sean Wright, head of SMB application protection at ImmersiveLabs, in a conversation with Forbes, called this vulnerability "significant" and unacceptable for a company with a "reputation for privacy." According to the expert, Apple needs to test its products more thoroughly.^[10]

Google increases payments for detecting vulnerabilities in Google Cloud Platform

Google has increased^[11] a total reward for detecting vulnerabilities in the Google Cloud Platform (GCP) cloud suite. Now security researchers can earn up to $313,337 as part of the Vulnerability Reward Program^[12].

In 2018, the total amount of payments amounted to $100,000 for detecting vulnerabilities in the cloud platform, but this year the total amount was increased to $313,337 and will be divided into six places. The amount of the largest reward will be $133,337, the second and third places - $73,331, the fourth - $31,337, and for the last two offer $1,000 for each.

"As last year, researchers need to apply to be eligible for remuneration. Information about vulnerabilities in one report is not limited. Specialists can submit several applications, one for each place, "according to the Google blog.

According to Google, the company in 2019 paid researchers more than $6.5 million in reward programs for discovered vulnerabilities, and since the launch of the first program in 2010 - more than $21 million.

ABC Vkusa launched a reward program for finding vulnerabilities in its IT services

On March 12, 2020, ABC Vkusa announced to TAdviser the launch of the bug bounty program, within which it plans to pay participants a total of more than 1.5 million rubles for the first year as a reward for vulnerabilities found on its website and in applications. More detailed here.

Drupal platform launched its bug bounty program

The Drupal content management system has its own vulnerability reward program to ensure maximum site security and privacy. Each user has the right to participate in the program, subject to the established conditions and requirements of the Drupal^[13][14].

The vulnerability reward program applies only to the drupal.org site and covers the following vulnerabilities: cross-site scripting (XSS), open redirection, cross-site request spoofing (CSRF) and incorrect access control.

An important point is that only authentic vulnerabilities will be accepted for consideration, and not automated penetration test results.

2019

Google paid researchers $6.5 million for vulnerabilities

In 2019, Google paid^[15] to security researchers for more than $6.5 million as part of the vulnerability reward program. Compared to 2018, the amount of remuneration paid in 2019 almost doubled. In 2018, Google paid security researchers $3.4 million. The program was launched in 2010, and since then the company has paid researchers about $15 million^[16].

In 2019, researchers received from $100 to $31,337 for one vulnerability, depending on its danger. For a bunch of vulnerabilities, the amount of remuneration increased significantly. This is exactly what happened in the case of Alpha Lab specialist Guang Ghosn, who received $201,337 for reporting a number of vulnerabilities in Pixel 3 devices.

In 2019, Google tripled the maximum base reward amount from $5,000 to $15,000 and doubled the maximum reward amount for high-quality reports from $15,000 to $30,000.

In addition, the company has expanded the vulnerability reward program for applications from Google Play. Since last year, any application with more than 100 million downloads can participate in the program. As part of this program, Google paid researchers more than $650,000.

The maximum amount of reward for vulnerabilities in Android has also increased. Now, for an exploit that allows you to remotely execute arbitrary code on the attacked system, the researcher can receive $1 million. For discovering such a vulnerability in the developer preview version, Google is ready to "throw" another $500,000 from above.

Japanese companies don't want to run bug bounty programs

Large Western companies like Google and Apple are offering "white" or "ethical" hackers millions of dollars in rewards for reporting vulnerabilities in their products. However, Japanese companies, including Toyota Motor, NEC and Fujitsu, prefer to limit themselves to just "thank you," writes the Japanese edition of Nikkei^[17].

Toyota Motor is ready to publicly thank a security researcher who found a vulnerability in its corporate website, but who discovered a vulnerability in its cars cannot even count on "thanks."

Despite the fact that in terms of technology, Japan is an advanced country, in terms of cybersecurity it lags far behind. Outdated building management systems allow cybercriminals to turn off ventilation, and most ATMs in the country can be accessed through unauthorized computers, sources told Nikkei. However, despite this, Japanese companies are in no hurry to launch programs to encourage security researchers (bug bounty). So, Toyota Motor is limited to a restrained "thank you," and you can't even expect this from NEC and Fujitsu.

Over the past two years, the average amount of remuneration that companies pay security researchers for discovered vulnerabilities has increased by 70%. For example, in November, Google announced its readiness to pay $1.5 million for vulnerabilities in Android that allow code to be executed remotely. Previously, the amount of remuneration for such vulnerabilities was $200 thousand.

VPN service NordVPN launched bug bounty program

VPN service provider NordVPN has launched[1] a program on the HackerOne^[18] to reward security researchers for vulnerabilities found. The amount of remuneration ranges from $100 to $5 thousand, but NordVPN is ready to pay more for "especially ingenious and dangerous" vulnerabilities.

Researchers can get rewarded for reporting vulnerabilities in NordVPN sites (nordvpn.com and some subdomains), Chrome and Firefox extensions, VPN servers, as well as in desktop and mobile applications for all platforms. The company also instructed researchers on how to report vulnerabilities in WordPress, OpenVPN and StrongSwan to relevant vendors directly.

NordVPN assured that security researchers are not threatened by any legal prosecution if their testing is carried out exclusively with good intentions. However, they are prohibited from disclosing vulnerabilities before the patch is released and without clear permission. At least 90 days should pass before the vulnerabilities are revealed^[19].

Mozilla triples reward amount under bug bounty

In honor of the 15th anniversary of its Firefox browser, Mozilla decided to expand^[20] its program to reward security researchers for discovered vulnerabilities (bug bounty) and increase the maximum reward by three times. So, from now on, for vulnerabilities in remote code execution in Firefox or other lesser-known Mozilla services (VPN, localization, code management tools, speech recognition, etc.), the researcher can receive $15,000. For other vulnerabilities, the company is ready to pay from $1,000 to $6,000^[21]

The decision to triple the amount of remuneration put Mozilla on a par with other technology companies, which also have bug bounty programs, however, at the very end of this row. For example,

• Yahoo! and Snapchat pay researchers $15,000 for any vulnerability in their services.
• $15,000 is the minimum amount of remuneration offered by Microsoft, while the maximum is $300,000.
• Also for comparison, the maximum reward amount within the bug bounty is $100 thousand from Intel,
• $33,000 at Dropbox,
• $20,000 at Twitter and
• $150,000 Google for vulnerabilities in. ChromeOS

The company also launched its bug bounty program. Huawei It is ready to pay $220 thousand for critical vulnerabilities in its Android devices Huawei Mate-series of smartphones(,,, and Huawei P-series Smartphones) and Huawei Nova Smartphone Y9 Honor series of smartphones $110 thousand for dangerous vulnerabilities. By the way, for the same vulnerabilities, Google offers smaller amounts - $200 thousand and $100 thousand, respectively.

The highest reward is offered by Apple, which in 2019 increased the amount from $200 thousand to $1 million^[22].

Hackers can exploit the sale of vulnerabilities as much as information security experts

On November 11, 2019, it became known that hackers can exploit the sale of vulnerabilities as much as information security experts who take part in reward programs for vulnerabilities found, or the so-called "gray hats" engaged in reverse engineering for the government. So says Oliver Rochford, head of research at Tenable. According to him, vulnerability research is an expensive process, and "white," "black" and "gray" markets use the same methods when searching for vulnerabilities, despite legal or illegal specifics.

The main difference between criminal and legal parties is the presence of ethics. The mechanism (vulnerability detection, exploit research and development) is the same for both criminals and researchers, but the difference is how the parties exploit vulnerabilities. For example, attackers act for the purpose of espionage, sabotage and fraud, while information security specialists analyze existing threats.

According to Rochford, in some cases it is possible to earn much more in a legal way (in this area, hackers can earn about $75 thousand). According to him, in underground markets, about $1 million can be earned for a vulnerability in Apache or Linux, while exploit brokers offer about $500 thousand. Vulnerabilities in WhatsApp for Android can also bring $1 million in black and gray markets. Within the framework of bug bounty programs, the most profitable are vulnerabilities affecting Safari in iOS, and in general, bugs in iOS can earn about $1 million, in the "gray" market - $2 million.

According to Rochford, attackers on average have 7 days to exploit the vulnerability before information security experts begin to analyze it, which is why "companies need to take measures to strengthen security."

According to a recent report, Bromium cybercrime revenue is estimated at $1.5 trillion, while the total market volume cyber security in 2019 was $136 billion^[23]

Apple opened its bug bounty program and increased the reward to $1 million

Main article: iPhone issues and security

Apple has opened to everyone its previously closed bug bounty program. Representatives of the company announced this at the Black Hat USA 2019 conference, held in August 2019 in Las Vegas. In addition to opening the program, Apple also added MacOS, tvOS, watchOS and iCloud to it and increased the reward for some vulnerabilities to $1 million.

The company first launched its bug bounty program in 2016, and so far it has been invitation-only. Notifications of vulnerabilities were accepted for participation only in a limited range of products, and the maximum amount of remuneration was $200 thousand. The company paid so much for vulnerabilities in hardware, for example, in firmware components responsible for secure loading. Now it is ready to pay $1 million for reports of vulnerabilities with which an attacker can carry out a network attack without user participation, allowing code to be executed at the kernel level while maintaining persistence.

Apple has also increased its reward for other vulnerabilities. For reports of vulnerabilities that allow a network attack without a single click from the user, with which an attacker can gain access to valuable confidential data, researchers are now entitled to $500,000. Another 50% of this amount will be received from researchers who discovered vulnerabilities before the official release of the software.

The world's first millionaire baghunter

In early March 2019, HackerOne, which develops a platform for finding vulnerabilities for money, introduced Santiago Lopez, a 19-year-old self-taught hacker from Argentina who became the world's first millionaire baghunter.

Lopez began reporting holes in their safety to companies through HackerOne in 2015. Since then, by March 2019, it has discovered more than 1,600 vulnerabilities and earned $1 million. His age doesn't embarrass anyone: 47.7% of the more than 300,000 baghunters registered to HackerOne are among a group of people aged 18-24, according to the company's annual report. However, Lopez's earnings are unusual: even the best baghunters find an average of 0.87 errors per month, which brings them about $34,255 a year. This is below the average salary in. Great Britain

Santiago Lopez is the world's first baghunter to earn $1 million in vulnerability searches

Many young security researchers note that baghuntering is not the most pleasant activity due to the specifics of communication with the employer. Often companies declare that they have already identified a mistake on their own, and they do not pay anything to the baghunter. However, the HackerOne platform is thriving, constantly receiving orders from around the world. HackerOne, founded in 2012, says it has paid hackers more than $42 million over the past period, while payments in 2018 more than doubled compared to 2017 (from $9.3 million to $19 million). More than half of hackers are registered in five countries: India, the USA, Russia, Pakistan and the UK.

Sites are a favorite target of cyberattacks, according to a survey in the annual report. More than 70% of hackers surveyed say they prefer to hack websites, followed by APIs (6.8%), storage technologies (3.7%), Android applications (3.7%), operating systems (3.5%) and downloadable software (2.3%). Baghunters, the services of which are used by the US Department of Defense, Hyatt, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel and more than 1300 other customers, are becoming all the more popular.^[24]

2018

Hackers earn $500,000 a year to find a vulnerability commissioned by large companies

The best freelance hackers hired by large companies and government organizations like Tesla Motors and the US Department of Defense to find vulnerabilities can earn more than $500,000 a year. This was reported on December 12, 2018 by CNBC, citing data from the Bugcrowd platform, which unites so-called ethical or "white" hackers who practice computer hacking to draw attention to cybersecurity problems.

"White" hackers work under a clearly worded contract for a certain company and receive payments when they find some kind of hole in the company's IT infrastructure. The amount of remuneration depends on the severity of the problem identified.

Against the background of a shortage of specialists in the field of information security (information security), more and more companies are preferring alternative ways to protect their IT systems, said Casey Ellis, head of Bugcrowd. According to some estimates, by 2021 the number of open information security vacancies may reach 3.5 million.

The best freelance hackers hired by large companies and government organizations like Tesla and the US Department of Defense to find vulnerabilities can earn more than $500,000 a year.

In 2017, a large technology company paid through Bugcrowd the most impressive reward in the history of the platform for one identified vulnerability - $113 thousand. Bugcrowd data suggests that in 2017 the amount of payments rose by another 37%.

Half of ethical hackers, in parallel with freelance, work somewhere on an ongoing basis. The average annual earnings of 50 leading hackers is about $145 thousand, Ellis said. In a survey conducted by Bugcrowd, about 80% of information security specialists reported that the platform helped them find work in the field of cybersecurity.

The vast majority of bughunters collaborating with Bugcrowd are people aged 18 to 44, but there are also several "information security prodigies" among the audience of the platform who are still at school. About a quarter of hackers working with Bugcrowd did not graduate from high school, but nevertheless have the necessary skills to find vulnerabilities.^[25]

SAP, Symantec, and McAfee Source Code Disclosure to Russian Authorities

On January 25, 2018, Reuters reported that SAP, Symantec and McAfee agreed to disclose to the Russian Ministry of Defense the source codes of some of their software products to search for vulnerabilities that hackers could use to hack into IT systems.

The search for weaknesses in the program code of technology companies' products is a prerequisite for procurement ON state by military contractors, the Russia agency notes. It studied hundreds of documents on purchases by American government agencies and legislative regulation in Russia.

SAP, Symantec and McAfee disclose vulnerability scanning software source codes to Russia

According to cybersecurity experts and US lawmakers, this practice jeopardizes the protection of computer networks of at least 10 US departments, since the software that IT companies show to the Russian authorities is used to protect critical systems of the Pentagon, NASA, the Ministry of Foreign Affairs, the FBI and intelligence from hackers.

Theoretically, vulnerabilities found in the software Moscow can be used to their advantage, the newspaper notes. At the same time, Reuters has not yet been able to find a single example when it would be found that such a practice led to cyber attacks.

Representatives of SAP, Symantec, McAfee and Micro Focus say that the study of products is under the control of developers on secure equipment, where it is not possible to change or remove parts of the code, so there can be no question of a security violation.

SAP explained that viewing the source codes is carried out in an absolutely safe and company-controlled room, where any recording devices and even pencils are "strictly prohibited."

However, amid growing concern from the US authorities, Symantec and McAfee stopped allowing such checks on their software, and Micro Focus significantly reduced their number at the end of 2017.

Even allowing people to just look at the source code within a minute, there is a very big danger, "says Steve Quane, executive vice president of network protection technologies at Trend Micro.

According to him, because of these risks to which the American government is exposed, Trend Micro denied Russia access to the source code of the TippingPoint system.

Quain noted that leading information security experts can quickly detect vulnerabilities in software by simply examining the code. There are such specialists in Trend Micro, he added.

According to GOP Congressman Lamar Smith, laws are clearly needed that would ensure a higher level of cybersecurity for federal departments and related organizations.

A Symantec spokeswoman assured Reuters that the version of the Symantec Endpoint Protection firewall released at the end of 2016 never passed the source code check, and previous versions have received many updates since the detailed study of the product by the Russian authorities. Symantec sold the previous version of Endpoint Protection until 2017 and intends to release updates for this software until 2019.

McAfee confirmed the data obtained by Reuters that in 2015 the company provided access to the code of the Security Information and Event Management system of the NGO Echelon, which conducted an audit on behalf of FSTEC. Despite this, the US Treasury Department and the Defense Department Security Service continue to use the product to protect their networks, Reuters reported, citing contracts at the agency's disposal.

McAfee declined to comment further on the Reuters request. Earlier, the company said that the check of the source codes at the request of Russia was carried out in premises in the United States.^[26]

One of the products that Echelon investigated for vulnerabilities was the ArcSight ESM solution, which has been developed by the British company Micro Focus since the sale of the HPE software business. This software is used by the Pentagon, as well as at least seven US departments, including the Office of the Director of National Intelligence and the intelligence unit of the State Department.

HPE said none of the company's current products had been subjected to source code analysis by Russian authorities. True, after the deal with Micro Focus, the American company got rid of more software assets.

Aleksey Markov, president of the Echelon group of companies, told Reuters that American companies whose products were investigated for vulnerabilities initially expressed concern about the certification process.

The less the decision maker understands programming, the more paranoia they have. However, in the process of clarifying the details when performing certification, the dangers and risks are blurred, - said Markov.

According to him, Echelon always notifies IT companies before transferring data about any discovered vulnerabilities to the Russian authorities, allowing manufacturers to eliminate the shortcomings. Studying the source code of products "significantly improves their safety," he said.

Former Deputy Director of the US National Security Agency Chris Inglis counters: "When you sit at a table with card shulers, you cannot trust anyone. I wouldn't show the code to anyone.'

Russia in the top three countries in terms of the number of baghunters

Baghunters (from the English bug - error; hunter - hunter) earn many times more programmers, according to a survey by HackerOne, a platform organizing Bug Bounty projects, in which monetary incentives are paid for hackers found for information security vulnerabilities. At the same time, Russia is one of the three countries in terms of the number of such specialists.

According to the results of a study published in January 2018, the size of the premiums, which on average receive about 1,700 hackers from different countries registered on HackerOne, is 2.7 times the average earnings of software engineers, Bleeping Computer reports.

The survey showed that vulnerability catchers from developing countries benefit the most from participating in Bug Bounty programs. For example, in India, the earnings of the best baghunters can be 16 times higher than the median salary of full-time programmers of companies.

Also, the search for information security vulnerabilities for money can ensure a comfortable existence in Argentina, Egypt, Hong Kong, the Philippines and Latvia. In these countries, bug fighters receive an average of 8.1 to 5.2 times more than regular software developers.

However, "hunting for vulnerabilities" is also a profitable business for immigrants from developed countries, although the difference with the salaries of programmers is not so impressive here. For example, in the USA and Canada, experienced baghunters will be able to get 2.4 and 2.5 times more, and in Germany and Israel, the superiority on average earnings of programmers is 1.8 and 1.6 times.

The HackerOne report also reports some other interesting facts. In particular, the study showed that Russia is one of the three leaders in the number of hackers participating in Bug Bounty projects, second only to India and the United States. The first two countries account for 23% and 20% of HackerOne participants, and the contribution of the Russian Federation is 6%. Also in the top 5 were Pakistan and Great Britain with an indicator of 4% of the total number of baghunters each.^[27]

Notes