Ukraine reconsiders bug bounties after latest cyberattacks. But are they enough?
Kyiv, Ukraine — Ukrainian ethical hackers prefer to work with clients abroad: foreigners are more open to investing in cybersecurity—and they pay more. In Ukraine, in turn, only few private companies are ready to spend money on bug bounties, while the public sector isn’t allowed to hire ethical hackers by law.
But recent cyberattacks amidst a buildup of Russian forces along Ukraine’s border is changing that.
Ukraine has failed to adjust regulations to new challenges in cyberspace, local experts told The Record. At the moment, ethical hackers could face fines of up to $42,000 USD or even three years in prison for trying to detect bugs in the computer systems of the Ukrainian parliament, ministries, or state companies.
But as the digital conflict between Ukraine and Russia continues to escalate, the Ukrainian government decided to be more radical—it promised to decriminalize bug bounties, allowing ethical hackers to try to breach state-owned computer systems to detect security vulnerabilities.
Bug bounty program can decrease the likelihood of a real cyberattack, thus saving money that an organization might lose in such compromises. However, they’re only part of the comprehensive cybersecurity policy upgrades that may be needed—especially as the country faces sophisticated nation-state level threats.
In Ukraine’s public sector, bug bounties could fail, said Vitaliy Yakushev, CEO at Ukrainian cybersecurity consulting company 10Guards.
“The government should not only validate the vulnerability, but fix it and test whether the fix works,” he said. “Bug bounty is important for cybersecurity, but it’s not a life vest.”
Yurii Shchyhol, head of Ukraine's state service responsible for information infrastructure protection, told The Record government systems were incredibly outdated when he took over in 2020.
“Half of the licenses for the threat detection software expired because no one renewed the subscription,” he said. “Besides, various agencies used different server equipment that did not work together,” Shchyhol added.
The last straw
Ukraine is paying a price for having obsolete laws. State officials claim that Russian hackers attack the country nearly every day, and it can’t deflect all of the threats:
- In 2015, for example, Russian hacker group Sandworm hit Ukraine’s power grid, causing massive power outages and leaving over 225,000 people without electricity
- In 2016, Russian hackers attacked Ukraine’s Finance Ministry and the State Treasury, disrupting about 150,000 electronic payments
- In 2017, ransomware NotPetya affected 12,500 computers used by Ukrainian telecom companies, banks, postal services, retailers, and government bodies.
But the last straw for many policymakers were the cyberattacks that hit in the beginning of 2022. On Jan. 14, cybercriminals cracked into 70 government websites, leaving a threatening message on their home pages: “Wait for the worst.”
Although government officials have tried to downplay the consequences of the attack, it still haunts Ukrainians. Just recently, on Jan. 31, cybercriminals sent dozens of phishing emails to state firms; on Jan. 22, they distributed fake court requests to companies; on that day they also published sensitive information on the hacker forumRaidForums, allegedly leaking phone numbers, emails, and passport data from Ukraine’s state registers.
The attention of the Ukrainian and global media put Ukraine’s officials under pressure. “They talk so much about bug bounty just to deflect this attention,” Yakushev said.
Ukraine struggles to modernize its cyberdefense
To allow regular nationwide bug bounties, Ukraine has to amend its criminal code, said Shchyhol.
This wouldn’t take much time, had it not been for Ukraine’s red tape. The World Bank’s 2020 assessment of government effectiveness ranked Ukraine 115 out of 192 countries.
The Ukrainian government also does not punish government officials for inefficient cyber defense—it usually puts the blame on programmers, Yakushev said.
During the latest cyberattack, for example, the media and the government pointed fingers at the developer of most of the state websites—tech company Kitsoft. It didn’t update the October content management system used by most of the sites, that’s why hackers could breach this system.
Kitsoft denied its fault: they developed the sites, but weren’t hired by the government to maintain them. “We do not own this IT system, so we do not have to protect and secure it,” it told Forbes.
When it comes to national security, the government often wants to be in charge of everything. The problem: it lacks resources and expertise.
Hundreds of government agencies, for example, use pirated software uploaded from BitTorrent trackers, according to the investigation published by Ukrainian media Texty.org on Jan. 26. Such software may contain malicious programs that can spy on their users and steal documents stored on their computers, the report said—and aligns with Shchyhol’s comments about systematic security concerns when he joined the government.
Ukraine’s Digital Transformation Ministry, which was created in 2019, also acknowledged a history of problems.
“There were over 350 state registers at the time, and only 28% had safety certificates,” minister Mykhailo Fedorov told the Kyiv Post in 2020. “The registers were scattered and it was hard to find who controlled them.”
There were no talks about nationwide bug bounties at the time.
First attempts to launch bug bounties
In recent years, cybersecurity has become a priority for many Ukrainians. They became more scared of cybercriminals—especially Russian ones. In 2021, Shchyhol’s agency stopped 147 cyberattacks, most of them from Russia, with the number growing by 10-12% every quarter, he said.
Ukraine’s largest e-procurement website ProZorro was one of the first public companies to launch a bug bounty program in 2020. ProZorro employees found a way to bypass the law. Instead of asking ethical hackers to look for vulnerabilities in the actual database, they gave them copies that don’t serve real clients, said its CEO Vasyl Zadvornyy.
Within one-and-a-half years, eight bug hunters found 80 vulnerabilities in ProZorro’s system and won $4,200 USD, according to Zadvornyy.
In 2021, the Digital Transformation Ministry backed a bug bounty of the state-owned mobile application Diia, which allows Ukrainians to access their documents on smartphones. Fifty ethical hackers used the U.S. Bugcrowd platform to find vulnerabilities in the copy of the app. During the first bug bounty, ethical hackers didn’t find bugs worth the concern.
Ukrainian cybersecurity experts called this bug bounty program a PR campaign and questioned its results. They said that the government provided the copy that wasn't an exact replica of the app, thus it hardly proves its security. Besides, the app doesn’t own any data—it just takes it from already existing government registers that ethical hackers weren’t allowed to test.
Fight for talent
Ukraine has six government agencies responsible for information security. One of them, the State Security Service, for example, fights against cyberterrorism; the Cyberpolice protects against cybercrime and violation of personal data laws; the National Security and Defense Council helps them coordinate.
Some of their specialists have been working for the state for nearly 30 years. Others—like Fedorov and Shchyhol—are young and ambitious, but have limited resources to accomplish their goals.
But nearly all the government agencies in Ukraine are underfinanced and couldn’t recruit talented specialists, according to Kostiantyn Korsun, Ukrainian cyber expert and former head of the Ukrainian cyberdefense center CERT-UA. Private companies can offer monthly salaries of $1,000-$2,000, according to Shchyhol.
And at Shchyhol’s agency? Around $700.
This lack of funding will likely also be a problem when it comes to bug bounties, Yakushev said.
As of today, it is not clear how much Ukraine will spend on the national bug bounty program, but the country is moving forward to legalize it anyway.
But, according to a Ukrainian government lawyer familiar with the matter who spoke to The Record on the condition of anonymity, the country has already hired legal experts to help write criminal code amendments.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.