The State Duma Committee approved amendments to the Civil Code of the Russian Federation aimed at legalizing “white hat” hackers

CrimeaPRESS reports:

The bill, which proposes amendments to Article 1280 of Part Four of the Civil Code of the Russian Federation to legalize the activities of “white” hackers in Russia, is recommended for adoption in the first reading.

The State Duma Committee on State Construction and Legislation recommended that the House of Parliament adopt in the first reading the first of a package of bills aimed at legalizing the activities of “white hat” hackers in Russia. The authors of the bill — representatives of the Digital Russia party project Anton Nemkin, Gennady Panin, Igor Markov and the State Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev — propose to make a number of amendments to Article 1280 of Part Four of the Civil Code of the Russian Federation.

Today, in order to test the security of systems of Russian companies, “white hat” hackers need to obtain a large number of permissions from the copyright holder of each program that is part of the information system. Performing testing without such permissions may result in copyright infringement. In this case, “white hat” hackers may be required to pay compensation in the amount of 10 thousand rubles to 5 million rubles, or twice the cost of the right to use the corresponding program.

Based on this, the bill provides for the possibility of studying, researching or testing the functioning of programs by a person who legally owns a copy of a computer program or a copy of a database in order to identify its vulnerabilities in order to correct obvious errors. This process can also be entrusted to other persons if a number of conditions are met: identification of vulnerabilities is carried out exclusively in relation to copies of computer programs and databases operating on the user’s technical means; Information about identified gaps can only be transferred to the copyright holder or those who will eradicate these vulnerabilities, unless otherwise provided by law.

According to the bill, “white hat” hackers must inform the copyright holder about identified vulnerabilities within five working days from the date of their discovery, except in cases where it was not possible to establish his location, place of residence or address for correspondence.

The adoption of the bill will allow vulnerability analysis in any form, without the permission of the copyright holders of the relevant program, including the copyright holders of infrastructure and borrowed components.

The work of “white” hackers should become a common and necessary tool for Russian companies today, believes one of the authors of the bill, member of the State Duma Committee on Information Policy, Information Technologies and Communications Anton Nemkin.

Today, it is important for government agencies and large corporations, which often themselves have their own staff of qualified IT specialists, to systematically engage “white hat” hackers as independent professionals. This is due to the fact that they can, for their part, check the security of information systems using the same tools as their unethical colleagues. This is especially important when it comes to protecting huge amounts of personal data of citizens and access to key government systems and services — including in conditions of external attacks on such resources that are unprecedented in scale and aggressiveness. When testing IT systems for strength, a “white hat” hacker acts on the instructions and with the consent of the owner of such a system and does not commit anything illegal. Our goal is to ensure that this is enshrined in legislation, and that the specialists themselves receive more freedom to work for the benefit of the state, — notes the deputy.

Against the backdrop of an increased number of attacks on Russian information systems, our country needs regulation that will bring work with such specialists to the legal level.

Now it is especially important to protect key government systems and services from unprecedented external attacks — in 2023 their number increased by 65% ​​compared to the previous year. However, the Russian bug bounty market is in its infancy and is still very small — its volume in 2023 did not exceed 200 million rubles. This is partly due to the fact that in Russia there are certain risks for the work of “white” hackers, so today they are in no hurry to come out of the shadows. We are trying to solve this problem with our bills. I am sure that when they come into force, the popularity of “white hat” hackers will increase exponentially“, concluded Anton Nemkin.

Today, some companies are already using the services of ethical hackers. For example, in 2023, Yandex paid such specialists 70 million rubles for searching for vulnerabilities in services and infrastructure. This year, 100 million rubles will be allocated for these purposes. The company also holds competitions to find specific types of bugs, in which rewards can be increased by 10 times compared to regular payments. At the same time, Yandex itself sees a specific benefit from holding such competitions — they help focus the attention of “white hat” hackers on the most important security areas for the company. For example, one of these competitions was held specifically to search for vulnerabilities that could lead to data leaks. Ozon, VK, and Tinkoff also launch their programs.

source: press service of the Russian State Duma deputy Anton Nemkin

Crimea news | CrimeaPRESS: latest news and main events