Council Urges Ministry to Accelerate Preparation of Bill on Vulnerability Search
The Council for the Development of the Digital Economy under the Federation Council has appealed to the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation to speed up the preparation of a bill that will establish a legal basis for the search for vulnerabilities in software for remuneration. The council is also seeking to define the boundaries of responsibility for specialists involved in vulnerability search. The request was made by Artem Sheikin, the deputy chairman of the digitalization council, according to TASS.
Sheikin, who heads the section on technological sovereignty and information security of the Russian Federation, explained that the idea of introducing a bill to legalize vulnerability search activities (known as Bug Bounty) has been under public discussion since the summer of 2022. The proposal has been studied by Mincifers. The bill includes amendments to Article 272 of the Criminal Code (UK) of the Russian Federation, which deals with illegal access to computer information.
The progress of the bill has been hindered due to the differing views of various departments involved in the discussions. Sheikin stated that the line between punishable actions and legal ones, as well as the responsibility of researchers versus the responsibility of system owners, is unclear. The existing legislation on computer crimes is outdated and requires modernization in order to establish clear approaches and decision-making methodologies.
As a result, Sheikin recommended that the Ministry of Construction Resume initiate the development of a legislative proposal to bring the activity of vulnerability search for remuneration into the legal field and to establish the boundaries of responsibility for specialists involved in this field.
The primary goal of the bill is to legalize and simplify the activities of “white” hackers, providing them with protection from legal consequences and encouraging more researchers to participate. However, Sheikin also highlighted potential provisions in the bill that could hinder vulnerability search efforts. For example, if the bill includes the establishment of a register of “white” hackers or the licensing of individuals, it may require researchers to operate openly, which many are not prepared for.
Overall, the regulation of vulnerability search activities aims to provide legal protection to specialists in the field and to increase their interest and involvement.