Main article: Bug (Bug) - a bug in a computer program
HackerOne
HackerOne is a platform popular among computer security experts from around the world, thanks to which specialists and hackers can inform companies about the vulnerabilities found and receive a reward for this.
White Hacker Registry
Main article: White Hacker Registry
2024
The Ministry of Digital Development of the Russian Federation introduces state tariffs for searching for vulnerabilities in IT systems
On November 11, 2024, it became known that it Ministry of Digital Development RUSSIAN FEDERATION intends to fix state tariffs for remuneration payments under the Bug Bounty programs. We are talking about attracting "white hackers" to search for vulnerabilities in IT systems.
According to the Kommersant newspaper, Deputy Minister of Digital Science Alexander Shoitov told about the initiative. Many federal and regional authorities use Bug Bounty programs, but they are not mandatory, he said. This is due to the need to justify the effectiveness of the relevant measures and determine the area of responsibility of the test participants. Shoitov emphasizes that in order to introduce Bug Bounty as a mandatory procedure, it must be normalized, in particular, state tariffs should be set.
Fyodor Dbar, commercial director of Security Code, says the introduction of guest tariffs will standardize Bug Bounty. In addition, this is necessary "taking into account the fact that Bug Bounty may become mandatory for KII (critical information infrastructure) and government agencies."
It is planned to set tariffs for payments to "white hackers" for the vulnerabilities found. According to Luka Safonov, technical director of Garda WAF, prices can be determined by federal districts and separately for all-Russian services, for example, the Public services portal. He clarifies that in the federal districts, the amount of payments can be 30-50 thousand rubles for critical vulnerabilities, for services - up to 1 million rubles. In general, market participants perceive the initiative Ministry of Digital Development positively.
 | Business itself can determine tariffs for such activities. When it comes to state systems, the issue of tariff formation should be unified, "says Vladimir Dryukov, director of the Solar JSOC Cyber Attack Counteraction Center of Solar Group.[1] |  |
"Poster" launches a separate vulnerability search program on the Standoff Bug Bounty platform
"Poster" launches a separate vulnerability search program on the Standoff Bug Bounty platform. Positive Technologies was informed about this on October 30, 2024. Read more here.
Rambler & Co will test its security on the Standoff Bug Bounty platform using white hackers
Rambler & Co will test its security on the Standoff Bug Bounty platform using white hackers. Positive Technologies (Positive Technologies) reported this on October 23, 2024. Read more here.
Leningrad region launched a program to search for vulnerabilities
Leningrad region launches a new stage of the project to search for vulnerabilities. BI.Zone announced this on October 14, 2024.
Independent researchers will be able to assess the level of security of three state information systems on the BI.ZONE Bug Bounty platform. Read more here.
White hackers will assess the vulnerability of the website of the government of the Nizhny Novgorod region
White hackers will assess the vulnerability of the website of the government of the Nizhny Novgorod region. BI.Zone announced this on September 30, 2024. Read more here.
Volgograd region launched a program on BI.Zone Bug Bounty
The Volgograd region is the third constituent entity of the Russian Federation to launch a program on BI.ZONE Bug Bounty. BI.Zone announced this on September 23, 2024. Read more here.
SOGAZ launches a program to find potential vulnerabilities on the BI.Zone Bug Bounty platform
SOGAZ launches a program to find potential vulnerabilities on the BI.Zone Bug Bounty platform. BI.Zone announced this on September 30, 2024. Read more here.
Legalization of "white hackers" will be included in the national project "Data Economics"
In mid-September 2024, it became known that in Russia the activities of independent researchers in the field of information security - the so-called "white hackers" - will be enshrined at the legislative level. The relevant provisions will be included in the national project "Data Economics."
According to TASS, referring to the statements of the adviser to the general director of Positive Technologies Artem Sychev, the method of searching for vulnerabilities by independent researchers in Russia should be mandatory. This will increase the security of the information infrastructure.
The
| | We are now helping the Federation Council to specify what should be corrected in the legislation so that such methods of providing security analysis are available to a wide range of companies, including the public sector, says Sychev. | |
The activities of "white" or ethical hackers imply testing the security of companies. Sychev says that such specialists can often simultaneously engage in various areas in the field of information security and conduct their research. As part of their work, "white hackers" attack significant segments of the infrastructure of an organization in the way that real cybercriminals would do, but in agreement with the customer. The client is then provided with a report of weaknesses in the defense. Based on this information, the customer can improve the security of their IT infrastructure.
The initiative to develop the legislative framework for the work of "white hackers" and protect their clients appeared in the summer of 2022. Its author was the Ministry of Digital Development, which is actively developing Bug Bounty programs in the public sector. According to the Kommersant newspaper, the need for business and companies to attract testers arose due to a sharp increase in cyber attacks on the Russian IT infrastructure after the worsening geopolitical situation.[2]
Innostage raises reward for hackers to 10 million rubles
Innostage on September 9, 2024 announced a double increase in remuneration for participants in open cyber trials (CSR). The program is implemented on the Standoff Bug Bounty security researcher platform and is designed to test and increase business cyber resilience. Read more here.
Sberbank launches three vulnerability search programs on BI.Zone Bug Bounty
Sber runs on BI.ZONE Bug Bounty three search programs. vulnerabilities This was BI.Zone (Safe Information Zone, Bison) announced on August 22, 2024. More. here
Innostage expands rewards program for white hackers
IT company Innostage has supplemented its open cyber program with new conditions. They relate to rewards for intermediate actions on the way to the implementation of an unacceptable event (NA). The company announced this on July 10, 2024. Read more here.
16 thousand ethical hackers are testing electronic government systems in the Russian Federation
Already 16 thousand ethical hackers are testing electronic government systems in the Russian Federation. This was announced on June 17, 2024 by the press service of the State Duma deputy RFAnton Nemkin.
The Ministry of Digital Development have been conduct the second stage of the bagbounty program since November 2023. As of June 2024, there are already 16 thousand. ethical or "white" hackers are looking for vulnerabilities on Public services, CMEV, feedback platform and other government systems.
The maximum remuneration that they can receive is 1 million rubles. As shown by the interim results of the second stage of the program, experts were able to detect about 100 vulnerabilities in 10 systems. Most of them are with a low degree of criticality.
The first stage took place from February to May 2023, then more than 8 thousand people took part in it. As the Ministry of Digital Development recalled, in order to take part in the program and receive 1 million rubles, you need to have Russian citizenship, be over 18 years old, register on the BI.ZONE Bug Bounty or Standoff 365 Bug Bounty platforms, and also be sure to comply with the rules of bagbounty platforms.
| | Specialists check only the external perimeter of systems and do not have access to internal data, and monitoring systems control the operation of baghunters - therefore, the vulnerabilities found cannot be used for hacking, the ministry added. | |
Ethical hackers, also known as "white" hackers, play an important role in protecting information systems and networks from malicious attacks, recalled Anton Nemkin.
| | First of all, ethical hackers check systems for weaknesses that can be exploited by attackers. This helps organizations detect and eliminate vulnerabilities before they are exploited in real-world attacks. They also help system developers and administrators improve security by offering recommendations and solutions to protect data and infrastructure. In addition, "white" hackers can also train employees and users in cybersecurity, which reduces the risk of successful attacks related to the human factor, such as phishing or social engineering, the deputy said. | |
| | For example, to test the security of companies' systems for June 2024, "white" hackers need to obtain a lot of permissions from the copyright holder of each program that is part of the information system. Testing without such permits may entail copyright infringement, and the "white hackers" themselves may be obliged to pay compensation in the amount of 10 thousand rubles to 5 million rubles, or in two times the cost of the right to use the corresponding program. Ethical hackers can also face criminal liability, "he said. | |
In order for the listed threats not to become an obstacle to the work of ethical hackers, a package of bills was developed that should help legalize their work in Russia.
| | One of the bills proposing amendments to the Civil Code has already been submitted to the State Duma and recommended by the State Construction Committee for adoption in the first reading. It regulates the possibility of testing the security of systems without violating the copyright of their creators and owners. The second bill is also ready to be introduced - it proposes to amend Article 16 of the Federal Law "On Information, Information Technologies and Information Protection." For June 2024, it passes the last approvals. This bill provides for amendments to the legislation that will consolidate the ability of the information system operator on the terms determined by him to carry out measures to identify vulnerabilities in the information system, including with the involvement of specialists who are not his employees. Also in our work are amendments to the Criminal Code, which propose to supplement a number of articles of the Criminal Code of the Russian Federation to exclude the possible risks of bringing "white" hackers to criminal responsibility, - said Nemkin. | |
Ministry of Digital Development: "White Hackers" identified 100 vulnerabilities in state IT systems
"White hackers" have identified 100 vulnerabilities in government IT systems. This was reported to the Ministry of Digital Development of the Russian Federation on June 14, 2024.
According to the department, most of the shortcomings found in GIS have a low degree of criticality. The maximum payment for the vulnerability found was 500 thousand rubles.
By mid-June 2024, within the framework of the second stage of the bagbounty program, which is carried out by the Ministry of Digital Development, 16 thousand. specialists are looking for vulnerabilities in the Public services, the Unified System of Interdepartmental Electronic Interaction, the feedback platform and other state systems. The maximum remuneration that they can receive is 1 million rubles.
Specialists check only the external perimeter of systems and do not have access to internal data, and monitoring systems control the operation of baghunters, so the vulnerabilities found cannot be used for hacking.
To take part in the program and get 1 million rubles, you need
- have Russian citizenship;
- be over the age of 18;
- register on BI.ZONE Bug Bounty or Standoff 365 Bug Bounty platforms;
- comply with the rules of bagbounty platforms.
According to market participants interviewed by Rossiyskaya Gazeta, searching for vulnerabilities in the digital circuit can become more effective if ethical hacking is legally allowed to providers of such services, making it a licensed type of activity.
| | How does it work in Russia? You enter into a pentesting contract with the organization and then additionally obtain permission from it to hack into systems. Of course, they give him out. But with tough parameters: such and such a number at such and such a time, you must attack specific IP addresses. In fact, you are allocated a "sandbox," on the defense of which the forces of all IT specialists of the company will be thrown. This is a simulation, consulting - anything, but not a pentest, - MTS Evgeny Chereshnev, vice president of strategy and innovation, told the publication.[3] | |
Kaspersky Lab: Apple did not pay us for the vulnerabilities found
In early June 2024, it became known that the company Apple refused to pay Kaspersky Lab a reward for discovered vulnerabilities in, operating system iOS which is used on smartphones. iPhone This, in particular, is a hole that allows Zero-Click attacks that do not require any participation from the user. More. here
The Russian government supported the bill on "white" hackers, but with improvements
On May 30, 2024, the Russian government supported a draft federal law on the legalization of the activities of the so-called "white" hackers. At the same time, experts pointed out the need to finalize the document.
The bill in question was developed in order to "exclude recognition by copyright infringement of programs for electronic computers or databases when testing the security of information systems." However, as stated in the official recall, the proposed rules do not take into account the need for information support for work carried out by authorized federal executive bodies in accordance with Russian legislation on state secrets, information, information technologies and information protection, as well as in the field of ensuring the security of the country's critical information infrastructure.
Experts point to another drawback of the bill. It is said that the transfer of information about the identified defects of the software to copyright holders under the jurisdiction of unfriendly states is not in the interests of ensuring the security of the Russian Federation.
Thus, the recall says, the bill requires revision, taking into account the introduction in
industry legislation of complex changes, including those providing for the definition of the legal framework for identifying vulnerabilities in software and information systems. In addition, the risks of such work should be minimized.
| | The bill complies with acts of higher legal force, including the Treaty on the Eurasian Economic Union. The Government of the Russian Federation supports the bill, subject to its revision, taking into account these comments, - emphasized in the published review.[4] | |
Natalya Kasperskaya: legalization of white hackers is an unjustified risk, there will be more hacks
At the end of May 2024, Natalya Kasperskaya, President of InfoWatch Group of Companies, Chairman of the Board of ARPP Fatherland Software, spoke about her position on the bill on the legalization of "white" hackers. In her opinion, this initiative will lead to an increase in the number of cyber attacks.
| | The adoption of the law on "white hackers" is an unjustified risk, since hypothetically the law can seriously expand hacking capabilities, Kasperskaya said in a conversation with RIA Novosti. | |
However, the idea of legalizing the activities of "white" hackers raises concerns in the expert community. Natalya Kasperskaya, President of InfoWatch Group of Companies, considers the adoption of such a law to be "unjustified risk," since it will potentially expand the capabilities of cybercriminals to hack systems. As a result, there will be more of them. She added that as a justification for the adoption of the bill, the authors say that "white" hackers can allegedly fall under criminal liability, but even "black" hackers rarely fall under the article. "Instead, you can conclude contracts and prescribe specific conditions for working with persons who have access to classified information," she notes.
The expert believes that the real reason for the adoption of the bill is the introduction of a mandatory check for the security of a computer system. However, if it is "imposed," then the qualifications of people who conduct such an analysis will fall, since the country does not have such a number of highly qualified specialists in this field. Kasperskaya suggests that the true reason for the bill is the introduction of mandatory security checks for computer systems. However, imposing such requirements is problematic due to the acute shortage of highly qualified personnel in this area, she added.[5]
VK paid about 240 million rubles to security researchers
VK has processed over 18 thousand reports from baghunters and paid more than 236 million rubles over 10 years of the Bug Bounty vulnerability search program. The company announced this on April 16, 2024. Read more here.
The State Duma Committee approved amendments to the Civil Code of the Russian Federation aimed at legalizing "white" hackers
The State Duma Committee on State Construction and Legislation recommended that the House of Parliament adopt in the first reading the first of a package of bills aimed at legalizing the activities of "white" hackers in Russia. The authors of the bill - representatives of the party project "Digital Russia" Anton Nemkin, Gennady Panin, Igor Markov and the State Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev - propose to amend article 1280 of part four of the Civil Code of the Russian Federation. This was announced on March 25, 2024 by the press service of the State Duma deputy RFAnton Nemkin.
To test the Russian the security of companies' systems, "white" hackers need to obtain a large number of permissions from the copyright holder of each program that is part of the information system. Testing without such permissions may result in copyright infringement. In this case, "white" hackers may be obliged to pay compensation in the amount of 10 thousand rubles to 5 million rubles, or in two times the cost of the right to use the corresponding program.
Based on this, the bill provides for the possibility of studying, researching or testing the functioning of programs by a person who rightfully owns a copy of the program for COMPUTER or copy in databases order to identify it vulnerabilities to correct obvious errors. Also, this process can be entrusted to other persons, subject to a number of conditions: identification of vulnerabilities is carried out exclusively in relation of computer program and database instances, operating on the technical means of the user; it is possible to transmit information about the identified gaps only to the copyright holder or to those who will eradicate these vulnerabilities, unless otherwise established by law.
According to the bill, "white" hackers must inform the copyright holder about the identified vulnerabilities within five working days from the date of their detection, except if it was not possible to establish its location, place of residence or address for correspondence.
The adoption of the bill will allow analyzing vulnerabilities in any form, without the permission of the copyright holders of the corresponding program, including the copyright holders of infrastructure and borrowed components.
| | It is important for government agencies and large corporations, which often themselves have their own staff of qualified IT specialists, to systematically attract "white" hackers as independent professionals. This is because they can, for their part, test the security of information systems using the same tools as their unethical counterparts. This is especially important when it comes to protecting huge amounts of personal data of citizens and access to key state systems and services - including in the context of external attacks on such resources that are unprecedented in scale and aggressiveness. Testing IT systems for strength, a "white" hacker acts on behalf and with the consent of the owner of such a system and does not commit anything illegal. Our goal is to ensure that this is enshrined in the legislation, and the specialists themselves received more freedom for their work for the benefit of the state, - said the deputy. | |
| | It is especially important to protect key government systems and services from unprecedented external attacks - in 2023, their number increased by 65% compared to 2022. Nevertheless, the Russian bug bounty market is in its infancy and is still very small - its volume in 2023 did not exceed 200 million rubles. This is partly due to the fact that in Russia there are certain risks to the work of "white" hackers, so they are in no hurry to get out of the shadows. We are trying to solve this problem with our bills. I am sure that when they come into force, the popularity of "white" hackers will multiply, - concluded Anton Nemkin. | |
The services of ethical hackers are already used by some companies. For example, Yandex in 2023 paid such specialists 70 million rubles for searching for vulnerabilities in services and infrastructure. In 2024, 100 million rubles will be allocated for these purposes. The company also holds contests to find specific types of errors, in which awards can increase 10 times compared to regular payments. At the same time, Yandex itself sees a concrete benefit from holding such contests - they help focus the attention of "white" hackers on the most important areas of security for the company. For example, one of these contests was held specifically to search for vulnerabilities that could lead to data breaches. They also run their programs,, Ozon VK"."Tinkoff
Yandex has increased the reward for bug hunters in smart devices to a million rubles
Yandex has expanded the Bug Hunt program for smart devices, adding changes to it in 2023 - Duo Max Station, Midi and TV Stations. The maximum amount of remuneration for the vulnerabilities found increased from 600 thousand to a million rubles. This will help attract more "white hackers" to test the devices for strength. Yandex announced this on February 7, 2024. Read more here.
2023
In 2023, Yandex paid 70 million rubles to ethical hackers
In 2023, Yandex paid 70 million rubles to participants in the Hunt for Errors program. It is dedicated to finding vulnerabilities in the company's services and infrastructure. Yandex announced this on March 12, 2024. Compared to 2022, the total amount of payments almost doubled. This is due to the launch of competitions in various areas of "Hunting" with increased payments, an increase in awards and an increase in the number of program participants. In 2022, Yandex paid researchers about 40 million rubles. Read more here.
Positive Technologies Launches Its First Bagbounty Product Program
Positive Technologies launched its first bagbounty product program. The company announced this on December 20, 2023. Read more here.
The Prosecutor General's Office and the Ministry of Internal Affairs oppose the legalization of "white"
On November 28, 2023, the Prosecutor General's Office, the Ministry of Internal Affairs and the Investigative Committee announced that they did not support the initiative to legalize "white" hackers in Russia. Law enforcement agencies fear that such a practice will complicate the prosecution of real cybercriminals.
We are talking about amending the Criminal Code, which can legalize the creation and use of malicious software by ethical hackers on the instructions of the customer. Such specialists can be rewarded by companies to search for vulnerabilities in their information systems and software (bug bounty concept). The bill provides that "white" hackers will be able to study and test products for weaknesses and at the same time will have to report the found "holes" to the software copyright holder without fail. In addition, the government will have the right to establish requirements for identifying vulnerabilities (now they are determined by the actual customer of the bug bounty program).
On the one hand, the proposed amendments will help improve the situation in the field of cybersecurity. According to Vladimir Bengin, director of product development at Solar Security, more than 50% of Russian ethical hackers do not enter the legal field, because they fear criminal prosecution. Legalization of the activities of such specialists will eliminate this obstacle. In addition, a platform can be created that will simplify the interaction of "white" hackers with companies.
But, on the other hand, the power structures believe, changes in legislation can be used by attackers. For example, real cybercriminals will be able to present documents on the conclusion of a contract for testing hacked InformSystems in order to prove their innocence. In such cases, proving malice will be problematic.[6]
The Ministry of Digital Development of the Russian Federation is preparing a permanent program for searching for vulnerabilities in the electronic government
The Ministry of Digital Development of the Russian Federation is preparing a permanent program for searching for vulnerabilities in the electronic government. The plans of the department became known on November 9, 2023.
On this day, the Kommersant newspaper, citing sources in the IT market, wrote that the Ministry of Digital Development by the end of 2023 will launch the Bug Bounty program (testing information systems by "white hackers" for vulnerabilities) for 9 of its own services, including the Unified Biometric System (EBS), the Unified Identification and Authentication System and the Unified Regulatory Reference Information System.
The Ministry of Digital Development launched the first Bug Bounty initiative at the Public services in partnership with Positive Technologies (Standoff 365 Bug Bounty) and BI.Zone (BI.Zone Bug Bounty), they lasted three months. The new program is planned for a year with the same partners, informed interlocutors told the newspaper.
According to the director of the Center for Countering Cyber Attacks Solar JSOCVladimir Dryukov (participates in testing together with RostelecomInformation Security), the first Bug Bounty project was a test, with a limited period and number of systems for research, now the program will be launched on an ongoing basis.
The publication of Kommersant notes that the Ministry of Digital Development has become the only government agency that has tested the search for vulnerabilities by white hackers on their own systems. According to experts interviewed by the publication, such experience should be expanded to the services of other departments. However, by November 2023, it is premature to spread the initiative in a wide range partly due to the lack of technical and financial resources for a comprehensive analysis of vulnerabilities, as well as a possible shortage of personnel, said Artem Sheikin, deputy chairman of the council for the development of the digital economy under the Federation Council.[7]
Ministry of Digital Development shared the results of bug bounty of Public services and ESIA
The Ministry of Digital Development at the TAdviser SummIT conference Cybersecurity in October 2023 revealed the current results of the program for commercial search for vulnerabilities (bug bounty) in the services of the Public services and the ESIA. At the moment, within the framework of the study, which will last from February 2023, 37 vulnerabilities were identified, for which 1.95 million rubles were paid . The payment was made by Rostelecom, the operator of both services. The program of open testing of sites first by Public services, and then by ESIA was initiated by the Ministry of Digital Development on February 10 on two domestic platforms BI.ZONE Bug Bounty and Standoff 365. To date, more than 8 thousand specialists have taken part in the study, who have provided a total of 187 reports.
| | The research experience was recognized as successful, - said Yevgeny Khasin, deputy director of the cybersecurity department of the Ministry of Digital Development. - For such money, we could not find such vulnerabilities before. During the study, architectural vulnerabilities were also identified. In addition, the process of informing FSTEC about the discovered vulnerabilities was worked out. For us, this is the cheapest way to find vulnerabilities and check the operation of our SOC | |
It is clear that when testing such a high-load system for researchers, rather strict requirements were established: not to disrupt the functioning and availability of GIS, not to use physical penetration into the infrastructure, not to apply social engineering practices and hacking user accounts, not to move into the internal perimeter, not to download data from the system and not distort them. Payments were made only if all these requirements were met.
According to Yevgeny Khasin, commercial vulnerability search programs have serious advantages over the classic penetration test (pentest), which have previously been used to verify the security of these government services. In particular, it works continuously, in contrast to the pentest, which has to be carried out regularly. The study involves an unlimited number of researchers, so it is not limited to the qualification of a single pentester or company. Payment is made for a really confirmed vulnerability - this is monitored by the platform organizing and controlling the process of searching for vulnerabilities. As a result, for well-protected resources, payments for discovered vulnerabilities are cheaper than regular rather expensive pentests.
Ministry of Digital Development plans to launch bug bounty programs
In 2023, Ministry of Digital Development plans to launch vulnerability search programs for a reward for 20 information systems. In addition, it is planned to expand the powers of applicant researchers.
| | The effectiveness of this practice has been proven, it finds its application not only in the work of the Ministry of Digital and Government Agencies, but also in business. In general, such an analysis of the security of information systems should be carried out on a regular basis, "he explained. | |
Evgeny Khasin said that at the beginning of 2023 the program was already tested on Public services. As a result, the total amount paid to white hackers amounted to about 2 million rubles. {{quote 'The work was carried out by the Ministry of Digital Development together with Rostelecom. The bug bounty platform for public services was provided by Positive Technologies and BI.ZONE, a ministry spokesman explained. }}
| | At the same time, such events served as some incentive for the development of the information security industry. Especially in the context of integrating new, successful international practices, the same white hackers. At the level of individual companies, an understanding has been reached that white hackers should become part of the policy to ensure information security, the deputy said. | |
| | It should be understood that modern cybersecurity is not only about the implementation of regulatory practices, which are determined, for example, by FSTEC, but also about constant self-verification. Attacks on software solutions and infrastructure occur constantly, so protection must become constant and continuous. The state is also aimed at the systematic development of this industry. Therefore, the issue is being worked out both in the Ministry of Digital Science and in our committee. There are two main areas of activity here: on the one hand, this is the creation of platforms on which such practices will be implemented, and on the other hand, a lot of work to popularize the direction among business and government agencies, the parliamentarian said. | |
Innostage protects clients from invalid events
Innostage announced on September 22, 2023 that it would check the level of protection of its own information infrastructure using the bug bounty program. Read more here.
Import substitution of "white hackers." The main trends of Bug Bounty in Russia have been identified
The pioneers in the use of bug bounty were large companies from the financial sector, retail, IT. Now both medium and even small businesses come to the conclusion that this is an effective security analysis tool . This trend is noted in BI.Zone, which on August 24, 2023 summed up the work of its BI.Zone Bug Bounty platform for the year.
Another trend is the public sector's interest in bug bounty. Now on the BI.Zone Bug Bounty platform there are information systems from this area. Largely due to the fact that the Ministry of Digital Development drew attention to this security analysis tool, its development received an impetus in the public sector. First, the bug bounty program for "Public services" was launched in test mode. And now a large number of other bug bounty programs are being prepared, which will later be published, said Evgeny Voloshin, director of strategy at BI.Zone.
There is some specificity in working with this segment compared to business. In general, administratively for the bug bounty site, working with the public sector is a little more difficult due to the formalization and bureaucratization of processes, explained Evgeny Voloshin, answering TAdviser questions. At the same time, he noted, everything is going very cheerfully with the Ministry of Digital Development.
Ramazan Ramazanov, Baghunter, Head of External Pentest Department at DeteAct (provides services for analyzing application security, infrastructure penetration testing, architecture security audit), believes that "white hackers" and he personally have some concerns when working with the state: "initially, many thought that they could show 'mask show'," so there is some alertness.
Among the trends in the Russian bug bounty services market in BI.Zone, they note that the community has become accustomed to domestic sites. In 2022, foreign bug bounty platforms, including the most popular - HackerOne - abruptly stopped operating in Russia. And foreign baghunters "fell off" for Russian companies, including due to problems with payments due to sanctions. Against this background, similar Russian platforms began to actively develop.
Both last year and in 2023, there are three main players here: the Bugbounty.ru platform, which is being developed by Sinclit and which was launched earlier than others, Standoff 365 Bug Bounty from Positive Technologies and BI.Zone Bug Bounty from BI.Zone.
On the BI.Zone Bug Bounty platform, which started in August 2022, as of August 2023, 17 companies and 51 public programs are represented, Evgeny Voloshin cited data.
Among the clients are such companies as Tinkoff, Avito, VK, Ozon, SberAvto, SberMarket. One of the latest public bug bounty program was launched by Astra Group to search for vulnerabilities in its Astra Linux OS. And one of the users of non-public programs in BI.Zone is called Sberbank.
Evgeny Voloshin, in a conversation with TAdviser, noted that from what can be seen now, about half of the user companies of their platform also use one or two more bug bounty platforms from those on the market.
Tinkoff, for example, is now presented at all three Russian sites after HackerOne, which it previously used, left Russia. Dmitry Gadar, vice president, director of the Tinkoff information security department, says that in the first half of 2023, in terms of the number of monthly vulnerability reports, their company has already reached the level that it was until February 2022. And in terms of the total number of reports for the six months of 2023, Tinkoff has already 3 times exceeded the number of such for the entire 2022.
| | It seems that the trend is as positive as possible, and we are returning to the state in which we were at international venues, - notes Dmitry Gadar. | |
The total number of "white hackers" participating in bug bounty programs on Russian sites, while it is estimated at about 4 thousand people. This is significantly less than was generally available to Russian customers earlier, when their systems could be "broken" by experts from all over the world at international sites. The attraction of foreign baghunters is now proceeding at a rather slow pace. At the same time, in previously published statistics from international sites, Russia was listed among the leading countries in terms of the number of baghunters.
Over the year, BI.Zone Bug Bounty paid "white hackers" more than 15 million rubles for the vulnerabilities found. Of all the "finds," 13% are critical vulnerabilities and a high degree of seriousness - i.e., those that can lead to a shutdown of a business or service, theft of data or money. In some cases, when implementing such vulnerabilities, the business could suffer billions of dollars in losses, says Evgeny Voloshin.
Yandex has opened a hunt for hackers for special "holes" in its services, the maximum reward is 2.8 million rubles
Yandex is launching a competition in the Bug Hunt program, in which ethical hackers will have to look for errors and vulnerabilities in Yandex services that can lead to the disclosure of sensitive information. The maximum reward for a critical vulnerability will be 2.8 million rubles - this is 5 times more than the usual payment for these categories of the program, Yandex representatives shared with TAdviser on August 1, 2023. Read more here.
"White" hackers found 34 vulnerabilities of the public services portal - "a lot of interesting things"
On May 19, 2023 , the Ministry of Digital Development announced the results of the bug bounty program on the portal of public services, which was launched in early February. According to the ministry, more than 8.4 thousand bug bounty participants from all over Russia checked the security of the portal and fought for remuneration. In total, 34 vulnerabilities were discovered, most of which were with a medium and low level of criticality.
For critical vulnerabilities, cash payments of up to 1 million rubles were provided, depending on the level of criticality of the vulnerability found. As a result, the maximum payment for the found bug amounted to 350 thousand rubles. minimum - 10 thousand rubles.
Testing took place on the BI.Zone Bug Bounty and Standoff 365 platforms. The project was sponsored by Rostelecom, RTK-Solar is the information protection operator of the public services portal.
Baghunters did not have access to internal data, they say in the Ministry of Digital Development. Participants worked only on the outer perimeter, and the vulnerabilities found were completely controlled by monitoring systems so that they could not be used for hacking.
| | We had a hypothesis that if we carry out a bug bounty, then for a fairly small amount of allocated funds we will be able to radically increase the level of security, find many vulnerabilities, and nothing bad will happen. We coordinated it for a long time and talked it out with other regulators, because everything new causes a lot of risks and fears, "said Vladimir Bengin, director of the Ministry of Digital Development cybersecurity department at PHDays on May 19. - Today we believe that the first stage of bug bounty is finished by the Ministry of Digital Development, and it passed categorically successfully. | |
Vladimir Bengin added that the monitoring systems regarded any study as a standard attack, without distinguishing researchers from attackers - there was technically no such possibility. And the department was sure that in fact vulnerabilities would not be found at all or would be found, but not much.
| | But no, we found a lot of interesting things - several dozen vulnerabilities of different criticality. Some have already been eliminated, some have been leveled, - said the director of the cybersecurity department of the Ministry of Digital Development. | |
This is a complex procedure, where you need to work out a lot of nuances clearly. The most difficult thing was to build a system work on working out reports, because a large number of hackers were involved, and many messages were received from them. And for each vulnerability in the department, they were forced, when they confirmed and understood that such a vulnerability really exists, to take all monitoring systems and check historically whether there were facts of triggering earlier, whether anyone exploited this vulnerability.
| | This is hard work, but super useful, - said Vladimir Bengin. | |
The Ministry of Digital Development plans in the future to continue to conduct bug bounty "Public services," as well as expand the program to other departments.
Ministry of Digital Development of very few "white" hackers in Russia
In mid-April 2023, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation reported a small number of so-called "white" hackers ("pentesters") in the country, so the business decided to launch training programs for such specialists.
| | By the way, we have very few pentesters in the country. Over the past year, all top teams have been busy and not only top teams, but also small teams, they also say very small ones - all orders have a lot. And, it turns out, we have few hackers. Therefore, they launched several trainings. Thanks for this to the companies, - said Vladimir Bengin, director of the Ministry of Digital Development cybersecurity department, at one of the forums on April 14, 2023. | |
According to him, over the past four months, two or three new courses have appeared. He added that the Ministry of Digital Development is in favor of training "white" hackers "in the industry."
"White" or "ethical" hackers are cyber intruders who use their skills for good. They help developers look for gaps in their products, but by no means free of charge. The symbol of this movement is the white hat, where the name of the "white" hackers came from. Earlier it was reported that Ministry of Digital Development is working to legalize the activities of "ethical" hackers. As Vedomosti wrote, the ministry considered the possibility of introducing the concept of bug bounty into the legal field.
This is due to the fact that the concept of bug bounty does not appear in the current Russian legislation, that is, such hackers can at any time test the quality of execution in Russia of the punishments provided for by the criminal code.
In March 2023, Secretary of the Security Council of the Russian Federation Nikolai Patrushev called on departments to minimize the risks of information leaks. He noted that it is worth taking into account the increased danger of harm to the Russian information infrastructure, the possibility of blocking, destroying and compromising it and strengthening the protection of the domestic digital space.[8]
FSB and FSTEK turned out to be against the bill on "white hackers"
The Federal Security Service (FSB) and the Federal Service for Technical and Export Control (FSTEC) were against the bill on "white hackers" due to the provisions of the Criminal Code related to unlawful access to information. In this regard, the adoption of the initiative may be postponed, Vedomosti writes in the issue of March 27, 2023.
The bill refers, in particular, to changes in Art. 272 of the Criminal Code of the Russian Federation "Illegal access to computer information," a source in one of the cybersecurity companies familiar with the document told the publication. This article implies illegal access to legally protected computer information, if these actions entailed, in particular, modification and copying of this information. The maximum liability under this article is seven years in prison, the newspaper notes.
According to one of Vedomosti's interlocutors, the FSB's position FSTEC was expressed by their employees at working meetings on the bill c. Ministry of Digital Development According to one of the interlocutors, the line between criminal actions and legal ones is "very shaky," and "no one will change the Criminal Code."
According to lawyer Maxim Matsenko, head of criminal practice at Vinder Law Office, the problem of vulnerability of "white hackers" does not exist. The hacker's participation in the vulnerability search program for money suggests that companies participating in the project voluntarily provide their networks to search for vulnerabilities, he explains. This completely excludes criminal liability, provided that the hacker does not go beyond his rights, the lawyer noted.
According to lawyers interviewed by the newspaper, by March 2023, the Criminal Code of the Russian Federation has a number of articles under which the activities of white hackers may fall. Among them are "illegal access to computer information," "creation, use and distribution of malicious computer programs," "violation of the rules for the operation of means of storing, processing or transmitting computer information."[9]
The program for searching for "holes" in "Public services" is open. White hackers are ready to pay up to 1 million rubles for the vulnerability found
As previously predicted by TAdviser sources in the information security market (see publication in the block below), in the week of February 6-12, 2023, the Ministry of Digital Development launched a project to search for vulnerabilities in Public services and other e-government resources. It was announced, in particular, on February 10. Third-party baghunters will check the security of e-government for the first time.
The program will take place in several stages. At the first stage, which will last 3 months, independent researchers will check the Public services portal and the Unified Identification and Authentication System (ESIA). In the next stages, the list of resources will be expanded, and the conditions will be updated.
The prize fund of the program is 10 million rubles. It is sponsored by Rostelecom, which is responsible for operating the e-government infrastructure.
The reward for baghunters depends on the degree of vulnerability found:
- low - gifts with project symbols;
- average - up to 50 thousand rubles;
- high - from 50 to 200 thousand rubles;
- critical - up to 1 million rubles and gratitude from the Ministry of Digital Development team.
Testing is available on BI.ZONE and Positive Technologies platforms.
Citizens of Russia can take part in the programs. The age of participants on BI.ZONE Bug Bounty is from 18 years old, on Standoff 365 Bug Bounty you can participate from the age of 14, if there is written consent of parents.
The task is to find bugs and transfer them to the Ministry of Digital Development. The logic and ways of hacking will be monitored by the project curators.
To participate, you need:
- Register on the selected platform;
- Read and agree to the terms of the program;
- Find the vulnerability without breaking the rules;
- Send vulnerability information through the platform;
- Wait for confirmation of the vulnerability from the Ministry of Digital Development.
| | In 2022, the number of attempts to hack government resources increased by 80% compared to 2021. The Ministry of Digital Development invites baghunters to join the program in order to work out new hacking scenarios and find the maximum security vulnerabilities, the program description on Public services says. | |
The state program for searching for vulnerabilities starts. White hackers will look for "holes" in "Public services" and ESIA
In the week of February 6-12, 2023 , Ministry of Digital Development expects to launch the bug bounty program to search for Public services vulnerabilities. In early February, TAdviser was told about this by three sources in the information security market and confirmed by a source close to the Ministry of Digital Development.
It will be launched, in particular, on the resources of information security companies Bi.Zone and Positive Technologies, which already have bug bounty platforms according to the developed rules and standards.
TAdviser has contacted all of the above organizations for comment, but they are not yet ready to say anything.
The Ministry of Digital Development within the bug bounty for "Public services" will be provided by site providers free of charge. According to TAdviser, "white hackers" will look for vulnerabilities, including in the unified identification and authentication system in the infrastructure of the electronic government of the Russian Federation (ESIA), which provides access to state resources.
Recall that in October at the TAdviser IT Government Day conference, Minister of Digital Development Maksut Shadayev spoke about plans to hold a bug bounty on Public services . The agency hoped to announce and hold it by the end of 2022.
A source close to one of the companies participating in the project says that some delay is due to the fact that in order to conduct the program it was necessary to deal with a lot of legal nuances.
According to him, one of the ideas discussed is to make bug bounty a mandatory norm when putting state information systems into operation after the "run-in" on the "Public services." But this, most likely, will not happen quickly: in this case, a more complex procedure for coordinating with the FSTEC and clarifying legal points will be required, including how owners of state information systems will be able to pay for such services.
The corresponding rule on bug bounty may be further included in the Decree of the Government of the Russian Federation of July 6, 2015 N 676 "On Requirements for the Procedure for the Creation, Development, Commissioning, Operation and Decommissioning of State Information Systems and Further Storage of Information Contained in their Databases," added the interlocutor of TAdviser.
2022
VK paid white hackers more than 37 million rubles
For 2022, in which the VK bagbount program began to be implemented on a domestic platform, the company paid a total of more than 37 million rubles to white hackers. At the same time, the strategic goal of the IT company is to ensure the full integration of baghunters into the information security architecture due to the effective results of such programs. Read more here.
The Ministry of Digital Development will check the security of Public services at two sites at once, but it will not pay white hackers
As it became known at the end of October 202, Ministry of Digital Development plans to check the security of Public services at two sites at once, but the department will not pay white hackers.
As Vedomosti writes with reference to representatives of Positive Technologies and Cyberpoligon, these companies are involved in the Ministry of Digital Development to search for vulnerabilities on the State Public services portal. By the end of October 2022, the department is coordinating a general concept with other executive authorities, the Ministry of Digital Development told the newspaper.
It is assumed that monetary rewards for white hackers will still be provided, but directly from the sites themselves as part of increasing the experience of experts and checking the level of security of Public services.
The representative of the Ministry of Digital Development explained to the newspaper that at this stage this is an initiative of the information security companies themselves, which at the current stage does not provide for monetary remuneration from the department, and access to this program will be open to all participants on equal terms.
At the same time, the Ministry of Digital Development noted that such initiatives by industry players, their readiness for work are "another indicator of the responsiveness of the IT community and its involvement in the digital security of the state."
Participants in the information security market interviewed by the newspaper believe that researchers will not work for free, or in this case they will still find a way to monetize information about the problems found, for example, they will sell reports on vulnerabilities on the darknet. To minimize these risks, the heads of bug sites will pay small amounts themselves, and white hackers will gain experience and increase their personal rating on the platform for detecting vulnerabilities in this case.
On October 5, 2022, the head of the Ministry of Digital Development of the Russian Federation Maksut Shadayev announced the holding of the Bug Bounty program for the State Public services portal by the end of the year in order to encourage specialists in finding errors in service systems.[10]
Bug Bounty in Russia: market condition and prospects. TAdviser Overview
The popularity of bug bounty programs is growing in the world, during which the company attracts third-party security specialists - the so-called "white hackers" - to test their software for vulnerabilities for reward or other "buns." Unlike pentests involving contractors, in the case of bug bounty, payment is for vulnerabilities discovered, and not for the time spent by an information security specialist. In Russia, interest in this practice is also increasing, and not only from the side of the business, which previously began to resort to bug bounty, but also appears from the public sector. TAdviser examined the current state and prospects of this market and prepared an appropriate review. The partner of the material was Positive Technologies. Read more here.
VK paid safety researchers three million rubles
On October 18, 2022, VK announced that it had received 300 vulnerability reports from external experts for three months of the bug bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. VK experts recognized more than half of the messages as significant, the vulnerabilities identified on their basis were eliminated. At the same time, more than 50 security researchers received a reward totaling three million rubles. Read more here.
BI.Zone introduced the BI.Zone Bug Bounty vulnerability search platform
On August 25, 2022, BI.Zone (Secure Information Zone, Bison) introduced the Bug Bounty platform, on which more than 300 baghunters were pre-registered. Avito will be the first company to host its public bug bounty program. Read more here.
VK joins Positive Technologies' vulnerability search platform The Standoff 365
On August 8, 2022, VK announced its participation in The Standoff 365 Bug Bounty platform, developed by Positive Technologies. The IT company has placed a bug bounty program on the platform, which, with the help of external experts, helps to find flaws in the security system and fix them before being discovered by attackers. Read more here.
Ministry of Digital Development legalizes state payments to white hackers
On July 17, 2022, it became known about the decision Ministry of Digital Development RUSSIAN FEDERATION to legalize the so-called white hackers who earn money by searching for vulnerabilities in IT systems.
As they write Sheets"" with reference to a source in one of the Russian tool development companies, cyber security Ministry of Digital Development it will enshrine in the legislation the concept of bug bounty (payment of remuneration for discovering vulnerabilities) and launch a bonus program for them. Thus, white hackers can be involved in the analysis of vulnerabilities in information government systems, while they will avoid accusations of "improper access to computer information," the publication says.
Experts interviewed by the publication believe that the legal definition in the legal field of action of pentests that analyze systems for vulnerabilities, as well as programs for paying remuneration to hackers for detecting vulnerabilities, by analogy with foreign bug bounty, will legalize the actions of white hackers and enable them to use and refine special software tools as part of strengthening cybersecurity mechanisms. Market representatives believe that by July 2022, it will be easier for many companies to contact the police and start a criminal case against the hacker, and not pay him for the problems found.
The legally enshrined concept can become one of the standards for assessing the real security of organizations both commercial and state, said Yaroslav Babin, project manager at The Standoff from Positive Technologies.
In April 2022, against the background of the county of IT specialists from Russia, after the start of a special operation in Ukraine, Ministry of Digital Development made a proposal to consider the possibility of direct financial support for white hackers. Representatives of the ministry then put forward an initiative to allocate funds for the so-called pentests (analyzing systems for vulnerabilities) and bug bounty programs, when a reward is paid for detecting vulnerabilities.[11]
In Russia, a platform is being created to pay hackers for finding holes in software
After the international platform for finding vulnerabilities HackerOne stopped paying fees to Russian and Belarusian hackers, the Russian Federation thought about creating alternative sites. One of these company "Cyberpoligon" will be launched on April 1, 2022, as it became known the day before. Read more here.
Apple paid a record $100,000 to a student who hacked a computer webcam
At the end of January 2022, Apple paid a $100,000 error reward after a cybersecurity student who successfully hacked an iPhone camera in 2019 did the same with a Mac computer. Read more here.
2021
Bug bounty programs up 34%
Positive Technologies announced on October 26, 2022 that it had analyzed large and active bug bounty platforms around the world. Experts noted that the most popular platforms were among IT companies (16%), online services (14%), the service sector (13%) and trade (11%), financial organizations (9%). This global trend is generally correlated with the Russian one.
In 2021, the number of bug bounty programs, according to HackerOne, increased by 34%, and security researchers identified 21% more vulnerabilities. According to experts, by 2027 the bug bounty market could grow to $5.5 billion.
According to Positive Technologies, the leader in the number of large bug-bounty platforms is the Asian region, which hosts 38% of the analyzed resources. In second place is the European region, including Russia: here is a third of the platforms studied, including some of the largest, for example, Inturiti, YesWeHack, Zerocopter and Standoff 365 Bug Bounty. The share of platforms in the North American and Middle East regions was 21% and 8%, respectively.
Launch a program to pay $5,000 for found holes in their IT systems
On December 14, 2021, the US Department of Homeland Security (DHS) announced the launch of a program in which it offers a monetary reward for finding flaws and vulnerabilities in its IT systems. Read more here.
Hacker programs have fallen in price on the black market
In early July 2021, it became known about a decrease in the black market cost of hacker programs (the so-called exploits) used to search for vulnerabilities in systems from different manufacturers. This trend was reported by Trend Micro, a company specializing in creating information security products . Read more here.
Mail.ru Group paid another bonus to the researcher in the amount of $40,000
VK (formerly Mail.ru Group) paid another bonus to the researcher in the amount of 40,000. dollars This became known on July 8, 2021. The total amount of remuneration that the company paid under the program exceeded $2 million.
The Mail.ru Group vulnerability search program has been running on the HackerOne cybersecurity expert platform since 2014. It helps researchers find security flaws and fix them before attackers detect them. The large-scale program covers almost all projects of the VK ecosystem (which is being developed by Mail.ru Group), allowing to increase their security.
The amount of reward for the discovered vulnerability depends on its criticality. Payments range from $150 to $40,000, and the most expensive vulnerability declared in the program is estimated at 55,000 - one of the highest rates in the IT market.
Mail.ru Group pays remuneration to researchers every week.
In total, nearly 5,000 reports from just over 3,400 security researchers have been accepted since launch.
| | Vulnerability scanning is an important security tool that we are actively using. This is akin to regular medical examination: the more often you go to experienced doctors, the more chances that all possible health problems are caught at an early stage and do not lead to a crisis. The best experts from all over the world cooperate with us. They help us detect the slightest security threats and receive a well-deserved reward for this - not only money, but also recognition in the community. We are working to eliminate all discovered vulnerabilities as quickly as possible, which allows us to maintain a high level of security of our products, "said Alexey Grishin, head of the vulnerability search program, Mail.ru Group[12]. | |
Cyber fraudsters began to attract "white hackers" to work under the guise of information security companies
In April 2021, it became known that the international hacker group FIN7 began to invite "white" hackers(pentesters, specialists in analyzing the security of information systems) to work under the guise of Check Point Software Technologies and Forcepoint, specializing in. information security The hired specialists do not suspect that they are working for cyber fraudsters, said the head of the expert services block Bi.Zone Yevgeny Voloshin in a conversation with "."Businessman
Bi.Zone said that FIN7 has developed a program that disguises itself as a tool for analyzing the security of networks. Windows Now cyber fraudsters are attacking large companies, USA pretending to be a legal organization by. cyber security
Positive Technologies described another scheme of attack on "white hackers": members of the North Korean cybercriminal group Lazarus got acquainted with them on social networks and instant messengers, after which they sent a link to an article in the blog. If the victim used the Google Chrome browser, when going to the blog, her computer was infected through the exploitation of a zero-day vulnerability. This allowed attackers to find valuable information on the computers of "pentesters."
The head of the Check Point representative office in Russia and SNGVasiliy Diaghilev confirmed the existence of a problem in which cyber fraudsters attract "white hackers," pretending to be a legal company. According to him, the attackers expect to take advantage of the credulity of companies that seek to save money on conducting a normal pentest, "the name of a well-known brand allows them to gain confidence." During a penetration test or as a result of successful detection of security holes, specialists often receive a high level of privileges to access the system.[13]
2020
$35K for Vulnerability Scanning
At the end of November 2020, the Ministry of Digital Transformation of Ukraine announced a program to pay rewards for finding vulnerabilities in the unified system of electronic public services "Diya." This was reported by the press service of the department on Facebook and its head of the department, Mikhail Fedorov , on Telegram. Read more here.
Microsoft has increased payments for searching for vulnerabilities in its software by 3 times
In early August 2020, it became known that it Microsoft spent about $13.7 million for fiscal year 2020 for reporting security errors in its software. This figure is three times the amount received by researchers ON a year earlier ($4.4 million).
Microsoft's software bug detection awards are one of the largest sources of financial rewards for hackers and researchers who examine software for security threats and report them to a vendor rather than selling them to cybercriminals through underground markets. Microsoft has created 15 incentive programs, thanks to which specialists were able to earn $13.7 million for the period from July 1, 2019 to June 30, 2020.
| | Researchers who devote time to detecting security problems before attackers can use them deserve our respect and gratitude, the Microsoft Security Response Center said. | |
Microsoft's total annual payments in this area far surpass Google's awards, which the company provides for identifying vulnerabilities in its software - only $6.5 million. However, even this figure is double the payments of the search giant for 2019. Microsoft says the higher total payments in 2020 are driven by the launch of six new rewards programs and two new research grants. They attracted more than 1,000 reports from more than 300 researchers. Microsoft also suggests that social distancing during the COVID-19 pandemic has caused a surge in security research.
| | During the first few months of the pandemic, we saw an active increase in program participants and an increase in the number of reports on all 15 reward programs, Microsoft said.[14] | |
Apple paid IT specialist $100,000 for vulnerability found
At the end of May 2020, it became known that Indian information security specialist Bhavuk Jain received $100,000 from Apple as a reward for discovering a serious vulnerability in the company's product.
The expert identified a problem in the Sign in with Apple authorization system, which is designed to preserve privacy and control personal data. When you log in for the first time, programs and websites can only request the user's name and email address to set up your account.
During authentication using the "Login with Apple" function, the JWT token is generated, which contains confidential information used by a third-party application to confirm the identity of the logged-in user. Exploitation of the vulnerability Jain found allowed an attacker to fake a JWT token associated with the identifier of any user. As a result, an attacker could be able to log in through the "Login with Apple" function on behalf of the victim in third-party services and applications that support this tool.
According to Jain, the vulnerability was contained in the way in which the user was verified on the client application side before the request was initiated from Apple authorization servers.
Bhavuk Jain discovered the vulnerability in April 2020 and reported it to Apple. The company told the expert that they had conducted an internal investigation and found out that before the vulnerability was eliminated, not a single case of account hacking was recorded.
Sean Wright, head of SMB application protection at ImmersiveLabs, in a conversation with Forbes, called this vulnerability "significant" and unacceptable for a company with a "reputation for privacy." According to the expert, Apple needs to test its products more thoroughly.[15]
Google increases payments for detecting vulnerabilities in Google Cloud Platform
Google has increased[16] a total reward for detecting vulnerabilities in the Google Cloud Platform (GCP) cloud suite. Now security researchers can earn up to $313,337 as part of the Vulnerability Reward Program[17].
In 2018, the total amount of payments amounted to $100,000 for detecting vulnerabilities in the cloud platform, but this year the total amount was increased to $313,337 and will be divided into six places. The amount of the largest reward will be $133,337, the second and third places - $73,331, the fourth - $31,337, and for the last two offer $1,000 for each.
| | "As last year, researchers need to apply to be eligible for remuneration. Information about vulnerabilities in one report is not limited. Specialists can submit several applications, one for each place, "according to the Google blog. | |
According to Google, the company in 2019 paid researchers more than $6.5 million in reward programs for discovered vulnerabilities, and since the launch of the first program in 2010 - more than $21 million.
ABC Vkusa launched a reward program for finding vulnerabilities in its IT services
On March 12, 2020, ABC Vkusa announced to TAdviser the launch of the bug bounty program, within which it plans to pay participants a total of more than 1.5 million rubles for the first year as a reward for vulnerabilities found on its website and in applications. More detailed here.
Drupal platform launched its bug bounty program
The Drupal content management system has its own vulnerability reward program to ensure maximum site security and privacy. Each user has the right to participate in the program, subject to the established conditions and requirements of the Drupal[18][19].
The vulnerability reward program applies only to the drupal.org site and covers the following vulnerabilities: cross-site scripting (XSS), open redirection, cross-site request spoofing (CSRF) and incorrect access control.
An important point is that only authentic vulnerabilities will be accepted for consideration, and not automated penetration test results.
2019
Google paid researchers $6.5 million for vulnerabilities
In 2019, Google paid[20] to security researchers for more than $6.5 million as part of the vulnerability reward program. Compared to 2018, the amount of remuneration paid in 2019 almost doubled. In 2018, Google paid security researchers $3.4 million. The program was launched in 2010, and since then the company has paid researchers about $15 million[21].
In 2019, researchers received from $100 to $31,337 for one vulnerability, depending on its danger. For a bunch of vulnerabilities, the amount of remuneration increased significantly. This is exactly what happened in the case of Alpha Lab specialist Guang Ghosn, who received $201,337 for reporting a number of vulnerabilities in Pixel 3 devices.
In 2019, Google tripled the maximum base reward amount from $5,000 to $15,000 and doubled the maximum reward amount for high-quality reports from $15,000 to $30,000.
In addition, the company has expanded the vulnerability reward program for applications from Google Play. Since last year, any application with more than 100 million downloads can participate in the program. As part of this program, Google paid researchers more than $650,000.
The maximum amount of reward for vulnerabilities in Android has also increased. Now, for an exploit that allows you to remotely execute arbitrary code on the attacked system, the researcher can receive $1 million. For discovering such a vulnerability in the developer preview version, Google is ready to "throw" another $500,000 from above.
Japanese companies don't want to run bug bounty programs
Large Western companies like Google and Apple are offering "white" or "ethical" hackers millions of dollars in rewards for reporting vulnerabilities in their products. However, Japanese companies, including Toyota Motor, NEC and Fujitsu, prefer to limit themselves to just "thank you," writes the Japanese edition of Nikkei[22].
Toyota Motor is ready to publicly thank a security researcher who found a vulnerability in its corporate website, but who discovered a vulnerability in its cars cannot even count on "thanks."
Despite the fact that in terms of technology, Japan is an advanced country, in terms of cybersecurity it lags far behind. Outdated building management systems allow cybercriminals to turn off ventilation, and most ATMs in the country can be accessed through unauthorized computers, sources told Nikkei. However, despite this, Japanese companies are in no hurry to launch programs to encourage security researchers (bug bounty). So, Toyota Motor is limited to a restrained "thank you," and you can't even expect this from NEC and Fujitsu.
Over the past two years, the average amount of remuneration that companies pay security researchers for discovered vulnerabilities has increased by 70%. For example, in November, Google announced its readiness to pay $1.5 million for vulnerabilities in Android that allow code to be executed remotely. Previously, the amount of remuneration for such vulnerabilities was $200 thousand.
VPN service NordVPN launched bug bounty program
VPN service provider NordVPN has launched[1] a program on the HackerOne[23] to reward security researchers for vulnerabilities found. The amount of remuneration ranges from $100 to $5 thousand, but NordVPN is ready to pay more for "especially ingenious and dangerous" vulnerabilities.
Researchers can get rewarded for reporting vulnerabilities in NordVPN sites (nordvpn.com and some subdomains), Chrome and Firefox extensions, VPN servers, as well as in desktop and mobile applications for all platforms. The company also instructed researchers on how to report vulnerabilities in WordPress, OpenVPN and StrongSwan to relevant vendors directly.
NordVPN assured that security researchers are not threatened by any legal prosecution if their testing is carried out exclusively with good intentions. However, they are prohibited from disclosing vulnerabilities before the patch is released and without clear permission. At least 90 days should pass before the vulnerabilities are revealed[24].
Mozilla triples reward amount under bug bounty
In honor of the 15th anniversary of its Firefox browser, Mozilla decided to expand[25] its program to reward security researchers for discovered vulnerabilities (bug bounty) and increase the maximum reward by three times. So, from now on, for vulnerabilities in remote code execution in Firefox or other lesser-known Mozilla services (VPN, localization, code management tools, speech recognition, etc.), the researcher can receive $15,000. For other vulnerabilities, the company is ready to pay from $1,000 to $6,000[26]
The decision to triple the amount of remuneration put Mozilla on a par with other technology companies, which also have bug bounty programs, however, at the very end of this row. For example,
- Yahoo! and Snapchat pay researchers $15,000 for any vulnerability in their services.
- $15,000 is the minimum amount of remuneration offered by Microsoft, while the maximum is $300,000.
- Also for comparison, the maximum reward amount within the bug bounty is $100 thousand from Intel,
- $33,000 at Dropbox,
- $20,000 at Twitter and
- $150,000 Google for vulnerabilities in. ChromeOS
The company also launched its bug bounty program. Huawei It is ready to pay $220 thousand for critical vulnerabilities in its Android devices Huawei Mate-series of smartphones(,,, and Huawei P-series Smartphones) and Huawei Nova Smartphone Y9 Honor series of smartphones $110 thousand for dangerous vulnerabilities. By the way, for the same vulnerabilities, Google offers smaller amounts - $200 thousand and $100 thousand, respectively.
The highest reward is offered by Apple, which in 2019 increased the amount from $200 thousand to $1 million[27].
Hackers can exploit the sale of vulnerabilities as much as information security experts
On November 11, 2019, it became known that hackers can exploit the sale of vulnerabilities as much as information security experts who take part in reward programs for vulnerabilities found, or the so-called "gray hats" engaged in reverse engineering for the government. So says Oliver Rochford, head of research at Tenable. According to him, vulnerability research is an expensive process, and "white," "black" and "gray" markets use the same methods when searching for vulnerabilities, despite legal or illegal specifics.
The main difference between criminal and legal parties is the presence of ethics. The mechanism (vulnerability detection, exploit research and development) is the same for both criminals and researchers, but the difference is how the parties exploit vulnerabilities. For example, attackers act for the purpose of espionage, sabotage and fraud, while information security specialists analyze existing threats.
According to Rochford, in some cases it is possible to earn much more in a legal way (in this area, hackers can earn about $75 thousand). According to him, in underground markets, about $1 million can be earned for a vulnerability in Apache or Linux, while exploit brokers offer about $500 thousand. Vulnerabilities in WhatsApp for Android can also bring $1 million in black and gray markets. Within the framework of bug bounty programs, the most profitable are vulnerabilities affecting Safari in iOS, and in general, bugs in iOS can earn about $1 million, in the "gray" market - $2 million.
According to Rochford, attackers on average have 7 days to exploit the vulnerability before information security experts begin to analyze it, which is why "companies need to take measures to strengthen security."
According to a recent report, Bromium cybercrime revenue is estimated at $1.5 trillion, while the total market volume cyber security in 2019 was $136 billion[28]
Apple opened its bug bounty program and increased the reward to $1 million
Main article: iPhone issues and security
Apple has opened to everyone its previously closed bug bounty program. Representatives of the company announced this at the Black Hat USA 2019 conference, held in August 2019 in Las Vegas. In addition to opening the program, Apple also added MacOS, tvOS, watchOS and iCloud to it and increased the reward for some vulnerabilities to $1 million.
The company first launched its bug bounty program in 2016, and so far it has been invitation-only. Notifications of vulnerabilities were accepted for participation only in a limited range of products, and the maximum amount of remuneration was $200 thousand. The company paid so much for vulnerabilities in hardware, for example, in firmware components responsible for secure loading. Now it is ready to pay $1 million for reports of vulnerabilities with which an attacker can carry out a network attack without user participation, allowing code to be executed at the kernel level while maintaining persistence.
Apple has also increased its reward for other vulnerabilities. For reports of vulnerabilities that allow a network attack without a single click from the user, with which an attacker can gain access to valuable confidential data, researchers are now entitled to $500,000. Another 50% of this amount will be received from researchers who discovered vulnerabilities before the official release of the software.
The world's first millionaire baghunter
In early March 2019, HackerOne, which develops a platform for finding vulnerabilities for money, introduced Santiago Lopez, a 19-year-old self-taught hacker from Argentina who became the world's first millionaire baghunter.
Lopez began reporting holes in their safety to companies through HackerOne in 2015. Since then, by March 2019, it has discovered more than 1,600 vulnerabilities and earned $1 million. His age doesn't embarrass anyone: 47.7% of the more than 300,000 baghunters registered to HackerOne are among a group of people aged 18-24, according to the company's annual report. However, Lopez's earnings are unusual: even the best baghunters find an average of 0.87 errors per month, which brings them about $34,255 a year. This is below the average salary in. Great Britain
Many young security researchers note that baghuntering is not the most pleasant activity due to the specifics of communication with the employer. Often companies declare that they have already identified a mistake on their own, and they do not pay anything to the baghunter. However, the HackerOne platform is thriving, constantly receiving orders from around the world. HackerOne, founded in 2012, says it has paid hackers more than $42 million over the past period, while payments in 2018 more than doubled compared to 2017 (from $9.3 million to $19 million). More than half of hackers are registered in five countries: India, the USA, Russia, Pakistan and the UK.
Sites are a favorite target of cyberattacks, according to a survey in the annual report. More than 70% of hackers surveyed say they prefer to hack websites, followed by APIs (6.8%), storage technologies (3.7%), Android applications (3.7%), operating systems (3.5%) and downloadable software (2.3%). Baghunters, the services of which are used by the US Department of Defense, Hyatt, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel and more than 1300 other customers, are becoming all the more popular.[29]
2018
Hackers earn $500,000 a year to find a vulnerability commissioned by large companies
The best freelance hackers hired by large companies and government organizations like Tesla and the US Department of Defense to find vulnerabilities can earn more than $500,000 a year. This was reported on December 12, 2018 by CNBC, citing data from the Bugcrowd platform, which unites so-called ethical or "white" hackers who practice computer hacking to draw attention to cybersecurity problems.
"White" hackers work under a clearly worded contract for a certain company and receive payments when they find some kind of hole in the company's IT infrastructure. The amount of remuneration depends on the severity of the problem identified.
Against the background of a shortage of specialists in the field of information security (information security), more and more companies are preferring alternative ways to protect their IT systems, said Casey Ellis, head of Bugcrowd. According to some estimates, by 2021 the number of open information security vacancies may reach 3.5 million.
In 2017, a large technology company paid through Bugcrowd the most impressive reward in the history of the platform for one identified vulnerability - $113 thousand. Bugcrowd data suggests that in 2017 the amount of payments rose by another 37%.
Half of ethical hackers, in parallel with freelance, work somewhere on an ongoing basis. The average annual earnings of 50 leading hackers is about $145 thousand, Ellis said. In a survey conducted by Bugcrowd, about 80% of information security specialists reported that the platform helped them find work in the field of cybersecurity.
The vast majority of bughunters collaborating with Bugcrowd are people aged 18 to 44, but there are also several "information security prodigies" among the audience of the platform who are still at school. About a quarter of hackers working with Bugcrowd did not graduate from high school, but nevertheless have the necessary skills to find vulnerabilities.[30]
SAP, Symantec, and McAfee Source Code Disclosure to Russian Authorities
On January 25, 2018, Reuters reported that SAP, Symantec and McAfee agreed to disclose to the Russian Ministry of Defense the source codes of some of their software products to search for vulnerabilities that hackers could use to hack into IT systems.
The search for weaknesses in the program code of technology companies' products is a prerequisite for procurement ON state by military contractors, the Russia agency notes. It studied hundreds of documents on purchases by American government agencies and legislative regulation in Russia.
According to cybersecurity experts and US lawmakers, this practice jeopardizes the protection of computer networks of at least 10 US departments, since the software that IT companies show to the Russian authorities is used to protect critical systems of the Pentagon, NASA, the Ministry of Foreign Affairs, the FBI and intelligence from hackers.
Theoretically, vulnerabilities found in the software Moscow can be used to their advantage, the newspaper notes. At the same time, Reuters has not yet been able to find a single example when it would be found that such a practice led to cyber attacks.
Representatives of SAP, Symantec, McAfee and Micro Focus say that the study of products is under the control of developers on secure equipment, where it is not possible to change or remove parts of the code, so there can be no question of a security violation.
SAP explained that viewing the source codes is carried out in an absolutely safe and company-controlled room, where any recording devices and even pencils are "strictly prohibited."
However, amid growing concern from the US authorities, Symantec and McAfee stopped allowing such checks on their software, and Micro Focus significantly reduced their number at the end of 2017.
| | Even allowing people to just look at the source code within a minute, there is a very big danger, "says Steve Quane, executive vice president of network protection technologies at Trend Micro. | |
According to him, because of these risks to which the American government is exposed, Trend Micro denied Russia access to the source code of the TippingPoint system.
Quain noted that leading information security experts can quickly detect vulnerabilities in software by simply examining the code. There are such specialists in Trend Micro, he added.
According to GOP Congressman Lamar Smith, laws are clearly needed that would ensure a higher level of cybersecurity for federal departments and related organizations.
A Symantec spokeswoman assured Reuters that the version of the Symantec Endpoint Protection firewall released at the end of 2016 never passed the source code check, and previous versions have received many updates since the detailed study of the product by the Russian authorities. Symantec sold the previous version of Endpoint Protection until 2017 and intends to release updates for this software until 2019.
McAfee confirmed the data obtained by Reuters that in 2015 the company provided access to the code of the Security Information and Event Management system of the NGO Echelon, which conducted an audit on behalf of FSTEC. Despite this, the US Treasury Department and the Defense Department Security Service continue to use the product to protect their networks, Reuters reported, citing contracts at the agency's disposal.
McAfee declined to comment further on the Reuters request. Earlier, the company said that the check of the source codes at the request of Russia was carried out in premises in the United States.[31]
One of the products that Echelon investigated for vulnerabilities was the ArcSight ESM solution, which has been developed by the British company Micro Focus since the sale of the HPE software business. This software is used by the Pentagon, as well as at least seven US departments, including the Office of the Director of National Intelligence and the intelligence unit of the State Department.
HPE said none of the company's current products had been subjected to source code analysis by Russian authorities. True, after the deal with Micro Focus, the American company got rid of more software assets.
Aleksey Markov, president of the Echelon group of companies, told Reuters that American companies whose products were investigated for vulnerabilities initially expressed concern about the certification process.
| | The less the decision maker understands programming, the more paranoia they have. However, in the process of clarifying the details when performing certification, the dangers and risks are blurred, - said Markov. | |
According to him, Echelon always notifies IT companies before transferring data about any discovered vulnerabilities to the Russian authorities, allowing manufacturers to eliminate the shortcomings. Studying the source code of products "significantly improves their safety," he said.
Former Deputy Director of the US National Security Agency Chris Inglis counters: "When you sit at a table with card shulers, you cannot trust anyone. I wouldn't show the code to anyone.'
Russia in the top three countries in terms of the number of baghunters
Baghunters (from the English bug - error; hunter - hunter) earn many times more programmers, according to a survey by HackerOne, a platform organizing Bug Bounty projects, in which monetary incentives are paid for hackers found for information security vulnerabilities. At the same time, Russia is one of the three countries in terms of the number of such specialists.
According to the results of a study published in January 2018, the size of the premiums, which on average receive about 1,700 hackers from different countries registered on HackerOne, is 2.7 times the average earnings of software engineers, Bleeping Computer reports.
The survey showed that vulnerability catchers from developing countries benefit the most from participating in Bug Bounty programs. For example, in India, the earnings of the best baghunters can be 16 times higher than the median salary of full-time programmers of companies.
Also, the search for information security vulnerabilities for money can ensure a comfortable existence in Argentina, Egypt, Hong Kong, the Philippines and Latvia. In these countries, bug fighters receive an average of 8.1 to 5.2 times more than regular software developers.
However, "hunting for vulnerabilities" is also a profitable business for immigrants from developed countries, although the difference with the salaries of programmers is not so impressive here. For example, in the USA and Canada, experienced baghunters will be able to get 2.4 and 2.5 times more, and in Germany and Israel, the superiority on average earnings of programmers is 1.8 and 1.6 times.
The HackerOne report also reports some other interesting facts. In particular, the study showed that Russia is one of the three leaders in the number of hackers participating in Bug Bounty projects, second only to India and the United States. The first two countries account for 23% and 20% of HackerOne participants, and the contribution of the Russian Federation is 6%. Also in the top 5 were Pakistan and Great Britain with an indicator of 4% of the total number of baghunters each.[32]
Notes
- ↑ Vulnerabilities will find a price
- ↑ Legalization of "white hackers" may be included in the national project "Data Economics"
- ↑ Second stage of bagbounty: twice as many specialists test e-government systems
- ↑ On Amending Article 1280 of the Fourth Civil Code of the Russian Federation
- ↑ The expert appreciated the possibility of legalizing "white" hackers
- ↑ Siloviki opposed the legalization of "white" hackers
- ↑ Hacking for the good of the state
- ↑ The Ministry of Digital Development said that there were few "white" hackers in Russia
- ↑ The bill on white hackers raised questions from security officials
- ↑ The Ministry of Digital Development will check the security of "Public services" at two sites at once
- ↑ Ministry of Digital Development plans to legalize white hackers
- ↑ Mail.ru Group paid another bonus to the researcher in the amount of $40,000
- ↑ They broke down and agreed. Cybersecurity experts worked for hackers
- ↑ Microsoft goes big in security bug bounties: Its $13.7m is double Google's 2019 payouts
- ↑ Apple Pays Hacker $100,000 For ‘Sign In With Apple’ Security Shocker
- ↑ Announcing our first GCP VRP Prize winner and updates to 2020 program with
- ↑ Google has increased payments for detecting vulnerabilities in the Google Cloud Platform
- ↑ Drupal Bug Bounty Program
- ↑ The Drupal platform has launched its bug bounty program
- ↑ Vulnerability Reward Program: 2019 Year in Review
- ↑ Google has paid researchers $6.5 million for vulnerabilities
- ↑ Japanese companies do not want to launch bug bounty programs
- ↑ NordVPN platform The world's most advanced VPN
- ↑ , the NordVPN VPN service has launched the bug bounty program
- ↑ Updates to the Mozilla Web Security Bounty Program
- ↑ Mozilla has tripled the amount of remuneration within the bug bounty.
- ↑ Apple opened its bug bounty program and increased the reward to $1 million
- ↑ Hackers can borrow as much on the sale of vulnerabilities as information security experts on bug bounty programs.
- ↑ Meet the World’s First $1 Million Bug Bounty Hunter
- ↑ Some freelance hackers can get paid $500,000 a year to test defenses of companies like Tesla
- ↑ Tech firms let Russia probe software widely used by U.S. government
- ↑ Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |