Bug bounty programs take root in Russia — with possible far-reaching implications

Russia’s 2022 invasion of Ukraine and subsequent international sanctions against Moscow and Minsk are having serious repercussions for the cybersecurity ecosystem in Russia.

The withdrawal of Western IT companies, the exodus of Russian IT specialists, and the changed cyber threat landscape due to the war in Ukraine have forced Moscow to come up with domestic solutions to improve its cybersecurity posture. These import substitution efforts now include vulnerability research initiatives known as bug bounty programs, in which individuals receive a reward (the bounty) for discovering and reporting software and hardware vulnerabilities (the bugs) to the developers.

In March 2022, international sanctions against Russia led to third-party platforms and companies hosting their inhouse bug bounty programs to stop paying out bounties to Russian and Belarusian hackers.

For instance, in March 2022, HackerOne, the world’s largest vulnerability research platform, refused to pay out a US$25,000 bug bounty reward to Belarusian hacker xnwup. Similarly, Anton Subbotin, the top Russian bug bounty hunter on HackerOne in early 2022, revealed publicly that he was denied a payout of US$50,000, which even included bug reports he submitted to HackerOne prior to Russia’s invasion.

HackerOne also removed Russian companies from its platform, including cybersecurity company Kaspersky Lab, online marketplace Ozon, and mail provider Mail.ru. US- and Australia-based bug bounty platform BugCrowd and Belgium-based bug bounty platform Intigriti also removed Russian customers due to the international financial sanctions. 

Most recently, in June 2024, Apple’s Security Bounty Program refused to pay out a bounty to Kaspersky Lab after the company discovered four zero-click zero-days in iOS that were used to spy on the iPhones of Kaspersky employees and Russian diplomats. While Kaspersky is not barred from submitting further reports to Apple, it is no longer eligible to receive any bug bounty payments from Apple.

Russian bug bounty ecosystem rising

Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum.

Bug bounty programs have a relatively long history in Russia. Yandex launched the first major Russian bug bounty program in 2012, at the same time as the first major bug bounty programs emerged in the US. Despite Yandex’s early efforts, bug bounty programs have not traditionally been considered an established mechanism for improving the security posture of Russian companies. This was partly due to general distrust of hacking on the part of the Russian government and commercial companies, but also because Western platforms dominated the market. 

In February 2021, Cyber Polygon and Sinclit founded the platform Bug Bounty RU. In May 2022, Positive Technologies launched Standoff 365 Bug Bounty. Within two years, the cybersecurity company Positive Technologies has hosted 70 programs on Standoff 365 Bug Bounty. BI.ZONE’s Bug Bounty platform followed in August 2022. As of this writing, these three bug bounty platforms are the largest in Russia.

In 2023, the total number of bug hunters on these platforms amounted to 20,000 people. The increasing number of companies participating in these platforms shows Russian companies’ growing interest in better protecting their products. Today, major Russian companies from the banking, retail, and IT sectors, such as T-Bank, Ozon, and social media platform VK offer their programs on the platform — including companies that no longer work with HackerOne. Positive Technologies itself offers the highest bounties on Standoff 365 Bug Bounty with up to 60 million rubles (US$680,000). The bug bounty payout structure is comparable to those of HackerOne and other Western platforms. 

Standoff 365 and BI.ZONE have made efforts to attract bug bounty hunters from Asia, Africa, and the Middle East onto its platform. This strategy is an effort to gain a foothold in other regional bug bounty markets and attract foreign companies onto their platform. 

Russian government joins the fray

The Russian government is also capitalizing on the emergence and establishment of a domestic bug bounty ecosystem.

A handful of Russian government institutions have partnered up with Standoff 365 and BI.ZONE, which indicates a change in the perception bug bounty programs and the Russian hacking community, which until recently was seen as a threat to security rather than a means of enhancing it.

In February 2023, the Ministry of Digital Development enrolled 10 of its e-government systems, including Gosuslugi, the portal of the state services of the Russian Federation, on both the Standoff 365 Bug Bounty and the Bi.ZONE Bug Bounty platform. The maximum payout for finding a critical vulnerability is ₽1 million (US$11,000). According to the Ministry, more than 16,000 people have signed up for the government’s bug bounty program, with more than 100 vulnerabilities found so far.

These federal efforts are trickling down to regional governments as well. In December 2023, the municipal services of the Moscow Oblast (uslugi.mosreg.ru) launched its own bug bounty program on Standoff 365, followed by the Rostov Oblast in the same month with its geographical information system (RO GIS), and the Republic of Sakha also opened its electronic services to bug hunting in May 2024. Unlike programs launched by private companies, those affiliated with government institutions are open only to citizens of the Russian Federation.

What this could mean for cybersecurity beyond Russia’s borders

These developments have occurred amidst legal ambiguity in this domain, as Russia’s criminal code does not differentiate between criminal hacking and ethical hacking (vulnerability research).

Ethical hacking is still deemed illegal in Russia and can be penalized with up to seven years in prison. Unlawful computer access is criminalized under Articles 272 and 273 of the Russian Criminal Code. As Russia’s cyberthreat landscape has significantly deteriorated since the war in February 2022, new initiatives to improve cybersecurity in Russia have now landed on the political agenda. Already in the summer of 2022, the Ministry of Digital Development proposed the idea of supporting bug bounty program. But a bill to legalize ethical hacking was only submitted to the State Duma in December 2023.

The Federal Security Service (FSB) and the Federal Service for Technical and Export Control (FSTEC), the main regulatory bodies in the field of information security in Russia, are complicating the legislative process, fearing it could obstruct the fight against cybercrime. As of May 2024, the bill has been endorsed by the State Duma but is still subject to revisions. If adopted, these efforts would align with the Russian government’s broader initiatives to enhance cybersecurity, including mandatory incident reporting, increased fines for data breaches, banning Western software in critical infrastructure related to national security, and potentially establishing a cybersecurity agency similar to the US CISA.

Russian bug bounty platforms have a high probability for substantial growth in the next few years. They provide a credible Western alternative not only to Russian hackers, but also for all other vulnerability researchers located in countries that could potentially face international financial sanctions in the future.

From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder.

Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia’s bug bounty ecosystem. 

More on bug bounties:

• 11 top bug bounty programs launched in 2024
• 5 questions to answer before jumping on the bug bounty bandwagon
• Bug bounty platforms buy researcher silence, violate labor laws, critics say