Media outlets, citing their own sources, report that a new version of a bill to legalize white-hat hackers is in the works. The Federation Council, the FSB, the Interior Ministry (MVD), and infosec companies are discussing the possibility of creating a registry of white-hat hackers and certifying them. The work of these specialists would be regulated by security and law enforcement agencies, including the FSB.
As RBC reports, the initiative proposes creating a unified system of state regulation for all types of research focused on finding vulnerabilities. In the new version of the bill, the term “vulnerability discovery activity” is introduced, which could encompass all forms of vulnerability discovery, erasing the current distinctions within the industry.
According to the document, the following could fall under this definition:
- commercial bug bounty programs;
- internal bug bounties, where companies have their own employees hunt for vulnerabilities in their infrastructure;
- any independent research: actions of individual researchers who, without invitation, test software for vulnerabilities;
- penetration tests conducted under legal agreements that describe all necessary aspects of interaction between the client company and the company providing the researchers’ services.
Sources tell the publication that regulation of all “vulnerability-hunting activities” is planned to be placed entirely under the control of the security agencies: the Federal Security Service (FSB), the Federal Service for Technical and Export Control (FSTEC), and the National Coordination Center for Computer Incidents (NCCCI).
They may be granted the authority to set mandatory requirements for key areas of vulnerability research, regardless of whether the software is commercial, for internal use, or pertains to critical business or government agencies.
This covers both mandatory identification and verification of white-hat hackers, and the rules for accrediting and operating organizations that conduct vulnerability-hunting activities; rules governing the processing and protection of data on discovered vulnerabilities; and regulations on exactly how vulnerability information must be transmitted to the resource owner and government authorities, and so on.
Lists of operators that meet the requirements will be published on the websites of the security agencies, and work outside accredited platforms, as well as work by companies that do not comply with the rules, will be prohibited.
In addition, it is proposed to require anyone who discovers a vulnerability to report it not only to the software owner, but also to the security agencies. An amendment is proposed to Article 274 of the Criminal Code (“Violation of the rules for operating means of storage, processing, or transmission of computer information”), under which the “unlawful disclosure of vulnerabilities” that does not comply with established rules would be classified as a crime.
The creation of a registry of white-hat hackers is also being discussed.
A representative of the Ministry of Digital Development told the media that “the ministry is in dialogue with the industry and colleagues from the State Duma regarding this bill,” noting that they have not received any proposals to create a registry of white-hat hackers.
“The proposed changes would ‘legalize’ the work of white-hat hackers, eliminating potential negative consequences when they carry out their activities. Before the law is adopted and signed by the president, the document may be revised to take into account proposals from the industry and interested agencies,” the Ministry of Digital Development said.
The legalization of bug bounty programs and the activities of white-hat hackers in Russia has been discussed since 2022. In February 2023, Alexander Khinshtein, former head of the State Duma Committee on Information Policy, proposed exempting white-hat hackers from liability, but the FSB and FSTEK opposed the idea. Later, the Prosecutor General’s Office, the Ministry of Internal Affairs (MVD), and the Investigative Committee (SK) also rejected the amendments, fearing that attackers would hide behind testing contracts.
In December 2023, a bill was introduced that would allow researchers to search for vulnerabilities without the rights holder’s consent, provided they report their findings within five business days. The document passed its first reading in October 2024, but in the summer of 2025 the State Duma rejected it, as the bill did not take into account the specifics of information support for government bodies’ operations.
Some of the market participants interviewed by the publication pointed out risks in the ideas under discussion. They consider the idea of a registry of white-hat hackers the most concerning. For example, MD Audit project manager (part of the Softline Group) Kirill Levkin warned that mandatory identification of cybersecurity researchers poses a threat to their safety and privacy, especially in the event of a data leak.
“White‑hat hackers often become targets for cybercriminals, especially when they publicly disclose dangerous vulnerabilities. In addition, deanonymization could reduce the number of participants in bug bounty programs, since many specialists work under pseudonyms not to hide, but to minimize personal risk,” Levkin says.
A representative of an unnamed Russian bug bounty platform emphasized the need for clear distinctions: “Commercial bug bounty should develop according to market mechanisms. Bug bounty for government resources and critical infrastructure must be regulated by all the rules, since there are critical, state-level risks.”