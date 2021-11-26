Positive Technologies plans to launch in Russia an analogue of the international vulnerability search platform HackerOne. The service should become an intermediary between companies that want to test their information systems for security, and hackers, who will be rewarded for breaking them. Rostelecom also plans to develop a similar platform at the request of banks. But experts doubt the success of projects: Russian companies, unlike foreign ones, often do not have budgets for such services, and they often simply do not respond to reports of vulnerabilities.

A representative of Positive Technologies told Kommersant that the company plans to launch a platform in Russia in May 2022 that will become an aggregator of programs for ethical hackers to search for vulnerabilities – bug bounty. Under such programs, hackers receive rewards from companies for vulnerabilities found in their IT networks, systems and applications. According to Yaroslav Babin, head of the application security analysis department at Positive Technologies, the platform will become an intermediary between “ethical hackers” and companies: “There is no such system in Russia now, some bug bounty from Russian companies are posted on the international HackerOne”.

The program is planned to be carried out not only in the traditional, but also in a new format, said Andrey Bershadskiy, director of the Positive Technologies competence center: “In the traditional bug bounty program, the customer pays in general for the vulnerabilities discovered and receives a huge stream, you have to spend a lot of resources on verification.”

In the new format, it is planned to form a register of unacceptable events and pay a reward for a chain of attacks, which will definitely lead to unacceptable damage.

That is, explains Andrei Bershadsky, the customer will save on verification, and the demonstration of unacceptable damage to the hacker can bring more income.

However, Anna Mikhailova, business development manager of the Angara group, fears that such a scheme can be used by companies as another criterion for refusing remuneration: “Assessing risks and, moreover, damage is not such a transparent process, especially when it needs to be linked to vulnerabilities.”

Rostelecom has already announced plans to create a Russian analogue of HackerOne. The request for the creation of the platform came from the banking community headed by the Central Bank, Rostelecom-Solar explained to Kommersant. In June, the company also launched a program to search for vulnerabilities in the software and hardware of developers as part of the federal project “Information Security” of the national program “Digital Economy of the Russian Federation”.

VTB considers it expedient to create a platform for “white hackers”. It can bring additional benefit by publishing information about typical unacceptable events for business systems of various classes, the bank’s press service believes: “This will allow companies to increase the relevance of their own threat models.” The vulnerability search aggregator will help to remove a lot of bureaucratic issues in organizing such a process within companies, and, with the proper implementation of the service, it will save gold prospectors from the risks of potential non-payment, says Alexander Vetkol, a leading systems engineer at Varonis Systemes.

Evgeny Kaspersky, founder and CEO of Kaspersky Lab, in an interview with Kommersant in June 2021: “Cybercriminals are everywhere – somewhere there are more, somewhere less. In America there are fewer because the FBI cleaned them up very well. “

Now bug bounty programs are most actively used by large foreign IT corporations. For example, Microsoft has 17 programs, under which 341 researchers submitted a total of 1.2 thousand vulnerability reports to the company in 2020, earning a total of $ 13.6 million, SecurityLab reported. In 2020, Google almost doubled the amount of bounty for vulnerabilities and paid out $ 6.7 million. The maximum reward for one vulnerability was $ 132.5 thousand. Russian Ozon hosts a bug bounty program on HackerOne and offers rewards from $ 150 to $ 3 thousand.

However, experts doubt the prospects for Russian projects. The creation of such a platform in the Russian Federation, if it is focused only on domestic business, is pointless, since it does not have the budgets to pay for such specialists, says Mikhail Sergeev, lead engineer at CorpSoft24: “Only very large companies can afford“ white hackers ”, and how practice shows that even they often do not respond to messages about found bugs. “

Launching a bug bounty program requires additional financial costs and a certain level of maturity of information security processes, which reduces the list of potential clients for such a site in Russia, agrees Ilya Shalenkov, head of the cyber security services group at KPMG. The demand for such a service by Russian developers, adds Alexander Vetkol, implies that they accept “the right to make a mistake.”

Yulia Stepanova