To strengthen cybersecurity, Ukraine is introducing the use of Bug Bounty, a procedure for engaging external experts, including for remuneration, to identify potential vulnerabilities and shortcomings in electronic systems and networks.
In May 2023, the Government adopted the Bug Bounty Procedure, which defines the mechanism of interaction between system owners and researchers. In July, the State Special Communications Service developed and approved the documents required by the Procedure:
- an exemplary public proposal for the search and detection of potential vulnerabilities of information (automated), electronic communication, information and communication systems, and electronic communication networks;
- methodological recommendations for developing a public offer.
These are instructions for owners of systems and networks who have decided to engage external experts to search for vulnerabilities.
As a reminder, according to the Procedure, the search for potential system vulnerabilities is carried out on the basis of a public offer published by the system owner on its official website. The system owner develops the public offer in accordance with the model public offer and methodological recommendations.
The public offer shall include, in particular:
- information about the system being searched for potential vulnerabilities;
- the actions of the researcher in relation to the system that he or she is prohibited from performing;
- the procedure for submitting a report by the researcher, requirements for its preparation, and forms;
- the amount, form, procedure and conditions of payment of remuneration to the researcher;
- the period of non-disclosure of information about the system’s vulnerability and other conditions.
Back in the spring of 2022, the Criminal Code of Ukraine was amended to provide that interference with the operation of information, electronic communication, information and communication systems, electronic communication networks is not considered unauthorized if it is committed in accordance with the Procedure for Searching and Identifying Potential Vulnerabilities of Such Systems or Networks.
