Redazione RHC : 23 October 2025 12:05
Russia is preparing a new version of a bill legalizing white hat hackers . Two sources in government agencies and the cybersecurity industry told RBC that the document has already passed the primary approval stage and is being prepared for submission to the State Duma.
The initiative envisions the creation of a unified system of government regulation for all types of research activities related to vulnerability detection . The project will involve specialists hired by companies to test their information systems, both directly and through bug bounty platforms , where rewards are paid for discovered bugs and vulnerabilities.
The new version of the bill introduces the concept of a “vulnerability research event.” As RBC sources explained, this “could encompass all forms of vulnerability research, erasing existing distinctions in the industry.” This includes both commercial bug bounty programs conducted via specialized platforms and internal audits, in which company employees research vulnerabilities. This category also includes independent research, in which specialists independently test software, and penetration tests conducted under official contracts between organizations.
It is proposed to delegate the regulation of all these activities to law enforcement agencies: the FSB, the FSTEC, and the National Coordination Center for Computer Incidents. These agencies could be authorized to establish mandatory requirements for key areas of vulnerability research, regardless of whether the programs are commercial, for internal use, or related to critical companies or government agencies.
This includes mandatory identification and verification of white hat hackers; standards for the accreditation and operation of organizations conducting vulnerability research; standards governing the processing and protection of data on identified vulnerabilities; regulations for how vulnerability information should be communicated to asset owners and government agencies, and more.
It is expected that the lists of accredited operators will be published on the official websites of law enforcement agencies . Organizing events outside of accredited venues or in violation of established rules will be prohibited. Furthermore, it is proposed that anyone discovering a vulnerability will be required to report it not only to the software owner, but also to law enforcement.
The bill proposes amendments to Article 274 of the Russian Criminal Code, which would criminalize “illegal transfer of vulnerabilities,” that is, the transfer of information in violation of established regulations. According to some sources, the possibility of creating a state registry of “white hat” hackers is also being considered.
The Ministry of Digital Development, Communications, and Mass Media confirmed its involvement in finalizing the initiative. A ministry spokesperson stated that “the Ministry is in dialogue with the industry and its colleagues in the State Duma on this bill,” noting that no proposals for the creation of a registry have yet been received. He added that the project aims to legalize the activities of white-hat hackers to prevent potential negative consequences for their work. Before the law is adopted and signed by the President, the document may be amended to reflect the input of the industry and relevant agencies.
Experts interviewed by RBC describe the new version of the initiative as more rigorous and emphasize the risks of mandatory deanonymization of specialists. They argue that creating a registry of “white hat” hackers and sharing data with law enforcement could lead to leaks, threats to researchers’ security, and an exodus of participants from bug bounty programs. Some experts warn that companies and independent researchers, fearing the consequences, could retreat into the “gray zone” and conduct testing unofficially.
Redazione