Russia Prepares Standardized Pricing for White Hat Hackers to Attract More Researchers in Identifying Vulnerabilities

Due to the increase in cyberattacks against Russian government systems and corporations, partly fueled by war, Russia has seen an uptick in such incidents. Even without the war, attacks on government and corporate systems are not uncommon.

However, Russia appears to be weary from these cyberattacks and is looking to leverage the power of white hat hackers to proactively discover and fix vulnerabilities before they can be exploited by malicious actors.

So, how can Russia attract more white hat hackers to participate in security research? The answer lies in establishing standardized pricing, offering a uniform bug bounty pricing to entice security researchers to participate.

The Russian Ministry of Digital Development recently disclosed that it is in the process of setting standard pricing for its bug bounty program, which will be primarily used for the Russian government systems and state-level vulnerability reward programs.

The rationale behind this initiative is straightforward. Government agencies and corporations often offer varying scales of bug bounty rewards due to their size, with major tech companies sometimes paying up to $100,000 for a single vulnerability.

Some Russian government entities do offer bug bounties, but without a set standard, this can lead to a lack of participation from researchers, as many government agencies do not offer any reward at all.

The plan is still under discussion, but the Ministry of Digital Development has indicated that bug bounties in the Russian Federation could range from 30 to 50,000 rubles ($$to$511), with potential for significantly larger rewards for critical vulnerabilities, up to 1 million rubles ($10,222).

Russian businesses are not required to adhere to these standards, as they only apply to government institutions and states. Enterprises can still set their own bounty rewards based on their circumstances.

This initiative is expected to encourage more security researchers to get involved, moving away from the previous approach where each entity acted independently, offering little to no rewards. Now, with mandatory standardized rewards, researchers will at least not have to worry about receiving inadequate compensation.

It’s important to note that the proposed price standards may still be low compared to those offered by major technology companies, which might not attract international researchers. However, local Russian security researchers are likely to welcome this initiative.