Bug Bounty Programs Take Root In Russia (csoonline.com) 17
snydeq writes: CSO Online's Sarah Wiedemar reports on a rising trend in the Russia cybersecurity community: bug bounty programs, which the researcher says could have far-reaching implications as the bounty ecosystem matures. From the report: "Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum. [...] Russian bug bounty platforms have a high probability for substantial growth in the next few years. They provide a credible Western alternative not only to Russian hackers, but also for all other vulnerability researchers located in countries that could potentially face international financial sanctions in the future.
From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder. Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia's bug bounty ecosystem." Although bug bounty programs have existed in Russia since 2012, they weren't widely adopted due to distrust from the government and dominance of Western platforms. Recently, new platforms like Bug Bounty RU, Standoff 365, and BI.ZONE have emerged, attracting thousands of bug hunters and major Russian companies. "In 2023, the total number of bug hunters on these platforms amounted to 20,000 people," notes Wiedemar. The Russian government has also begun participating, launching programs for 10 of its e-government systems.
However, legal ambiguities remain, as ethical hacking is still considered illegal in Russia, with potential prison sentences. Despite this, there are ongoing legislative efforts to legalize ethical hacking, alongside broader government initiatives to enhance cybersecurity, including increased fines for data breaches and the potential creation of a cybersecurity agency akin to the US CISA.
From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder. Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia's bug bounty ecosystem." Although bug bounty programs have existed in Russia since 2012, they weren't widely adopted due to distrust from the government and dominance of Western platforms. Recently, new platforms like Bug Bounty RU, Standoff 365, and BI.ZONE have emerged, attracting thousands of bug hunters and major Russian companies. "In 2023, the total number of bug hunters on these platforms amounted to 20,000 people," notes Wiedemar. The Russian government has also begun participating, launching programs for 10 of its e-government systems.
However, legal ambiguities remain, as ethical hacking is still considered illegal in Russia, with potential prison sentences. Despite this, there are ongoing legislative efforts to legalize ethical hacking, alongside broader government initiatives to enhance cybersecurity, including increased fines for data breaches and the potential creation of a cybersecurity agency akin to the US CISA.
Re: (Score:2)
Re: (Score:2)
https://dilbert-viewer.herokua... [herokuapp.com]
Sell or "sell" (Score:2, Troll)
Re: (Score:2)
The Russian administration is not _that_ stupid. Nobody would go bug hunting again. Seriously. Think before you post.
Re: Sell or "sell" (Score:1)
Russia has been exposed actively shopping for 0-days right here in the US. And it is against the law in russia to keep such findings from the Russian government once they decide you were never supposed to know what you know. So.....
Re: (Score:2)
You are mistaken as to how Russian law works.
Re: (Score:2)
it is also illegal for the US government to spy US citizen without court order, yet Snowden have shown that it is widely done in the US... having government break their own laws is common, they always give the excuse of "national security" and "fight terrorism", while they use it for whatever they want
Good and Gold-Hats (Score:4, Informative)
Re: (Score:3)
And consider 50% of new fixes, are twists on old fixes that were never correctly patched by the vendor.
Probably the easiest way to go about it: Look at what got patched.
Re: (Score:2)
Different ways (Score:2)
For those who don't remember how this works in Russia and Ukraine, most Western police systems stopped issuing international warrants when finding their IT criminals by around 2010 or so. Because both nations used those warrants as recruitment ads into their state security structures.
I guess Russia's need for offensive operations against Ukraine and it's allies are growing rapidly, while not enough candidates for work are found in the mobilization efforts. So this is a logical next step, give bounty for som
In Soviet Russia, #fixwont YOU! (Score:2)
Bug hunts (Score:2)
So, the harvest failed again?
LMAO (Score:2)
Doesn't matter since their hackers and programmers are a bunch of simple-minded morons.