Bug Bounty Programs Take Root In Russia

snydeq writes: CSO Online's Sarah Wiedemar reports on a rising trend in the Russia cybersecurity community: bug bounty programs, which the researcher says could have far-reaching implications as the bounty ecosystem matures. From the report: "Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum. [...] Russian bug bounty platforms have a high probability for substantial growth in the next few years. They provide a credible Western alternative not only to Russian hackers, but also for all other vulnerability researchers located in countries that could potentially face international financial sanctions in the future.

From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder. Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia's bug bounty ecosystem." Although bug bounty programs have existed in Russia since 2012, they weren't widely adopted due to distrust from the government and dominance of Western platforms. Recently, new platforms like Bug Bounty RU, Standoff 365, and BI.ZONE have emerged, attracting thousands of bug hunters and major Russian companies. "In 2023, the total number of bug hunters on these platforms amounted to 20,000 people," notes Wiedemar. The Russian government has also begun participating, launching programs for 10 of its e-government systems.

However, legal ambiguities remain, as ethical hacking is still considered illegal in Russia, with potential prison sentences. Despite this, there are ongoing legislative efforts to legalize ethical hacking, alongside broader government initiatives to enhance cybersecurity, including increased fines for data breaches and the potential creation of a cybersecurity agency akin to the US CISA.

Re:

[arglebargle_xiv]

It is capitalism at work, just not the way you think: A country where corruption is a way of life sets up a system to funnel money towards someone finding software artefacts that can be trivially added by an associate who gets a cut. Yeah, that's gonna work just fine.

Re:

[NotEmmanuelGoldstein]

https://dilbert-viewer.herokua... [herokuapp.com]
https://dilbert-viewer.herokua... [herokuapp.com]

Sell or "sell"

[Malay2bowman]

"Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies" I wonder how long before "Those zero-day acquisition companies in turn GIVE them to Russian law enforcement and security agencies in exchange for making it through the day without a broken jaw and an immediate and indeterminate sentence in the gulag."

Re:

[gweihir]

The Russian administration is not _that_ stupid. Nobody would go bug hunting again. Seriously. Think before you post.

Re: Sell or "sell"

[dowhileor]

Russia has been exposed actively shopping for 0-days right here in the US. And it is against the law in russia to keep such findings from the Russian government once they decide you were never supposed to know what you know. So.....

Re:

[gweihir]

You are mistaken as to how Russian law works.

Re:

[higuita]

it is also illegal for the US government to spy US citizen without court order, yet Snowden have shown that it is widely done in the US... having government break their own laws is common, they always give the excuse of "national security" and "fight terrorism", while they use it for whatever they want

Good and Gold-Hats

[Canberra1]

A Gold-Hat is a computer professional that licenses his/her work, such as security vulnerabilities. Often it pays better than a security expert job salary. Many get lots of paid training and skills by former govt work - until some cap on salary got in the way of raw talent. Trouble is enforcement of license's on the darkweb is dammed difficult. Anyway, it is an open market, and let the market sort it out. And consider 50% of new fixes, are twists on old fixes that were never correctly patched by the vendor.

Re:

[gweihir]

And consider 50% of new fixes, are twists on old fixes that were never correctly patched by the vendor.

Probably the easiest way to go about it: Look at what got patched.

Re:

[Canberra1]

Somewhat difficult. MS and other have a nasty habit of sneaking in unannounced patches, and patches for the same thing. Thus you can have the same module, with the same version number - but a different signature. In a way this is good for hackers that can regress a patch with a real signed module. This a a long winded way of saying basic edit checks are not being done - because that would decrease overall speed.

Different ways

[Luckyo]

For those who don't remember how this works in Russia and Ukraine, most Western police systems stopped issuing international warrants when finding their IT criminals by around 2010 or so. Because both nations used those warrants as recruitment ads into their state security structures.

I guess Russia's need for offensive operations against Ukraine and it's allies are growing rapidly, while not enough candidates for work are found in the mobilization efforts. So this is a logical next step, give bounty for som

In Soviet Russia, #fixwont YOU!

[Pseudonymous Powers]

I'm just remembering all those stories about companies trying to get out of paying people who reported bugs. That might not be the best strategy if your bug bounty hunter is Russian, though. Please keep in mind that he has ready access to... other markets for your vulnerabilities.

Bug hunts

[PPH]

So, the harvest failed again?

LMAO

[Bahbus]

Doesn't matter since their hackers and programmers are a bunch of simple-minded morons.