The Government approved the Procedure for Bug Bounty in Ukraine

Ukraine fights the Russian Federation, in particular, in cyberspace.

To ensure this, in March 2022, the Parliament of Ukraine made changes to the Criminal Code of Ukraine, which decriminalised interference in the work of information systems with the aim of finding vulnerabilities in them. In other words, the Parliament allowed the work of white-hat hackers, or ethical hackers, to find vulnerabilities, in particular, in government systems.

At the same time, according to BRDO’s analysis, the decriminalisation mechanism that was chosen was not the best from the point of view of normative design. Nevertheless, the representatives of relevant authorities decided to continue the implementation of this mechanism. For this, it was necessary to adopt the procedure approved yesterday.

The document defines the procedure for organizing, searching, and identifying potential vulnerabilities of information systems based on a public offer. We are talking about any systems for which the owner will decide on the need to place a public offer on the search for vulnerabilities: from the information systems of state registers to, for example, the information system of the city water utility.

Implementation of the document:

  • will allow Ukraine to launch a full-fledged national Bug Bounty system;
  • will provide the owners of information systems with a tool to increase the level of their cyber protection, which is critically important in the conditions of the Russian Federation’s war against Ukraine;
  • involve private researchers in cooperation with the state on cyber security issues and protect such white-hats from criminal prosecution;
  • will ensure an increase in the overall level of national security of our country.

BRDO experts within the EU4DigitalUA project funded by the EU participated in the development of the resolution.

What is Bug Bounty?

Bug Bounty is an agreement offered by websites, organisations, and software developers where anyone can get a reward if they find bugs in the company’s ICS. Especially important are those errors related to security and vulnerabilities.

These programs allow developers to identify and fix bugs before they become known to the general public, preventing widespread abuse and data leakage. They are implemented by brands such as Mozilla, Facebook, Google, Reddit, Microsoft, etc.

Outside the technology industry, bug bounty is also used, for example, by the US Department of Defense.

And before that, the first bug bounty program in Ukraine for resources in the domain was launched by the BRDO back in 2018. Later, similar programs were implemented for Prozorro and Diia.