Some cybersecurity professionals express unease about ‘red team’ VDP launched alongside defense-focused program
Ethical hackers are being invited to unearth critical vulnerabilities in the digital infrastructure of both the Ukrainian and Russian governments.
HackenProof, the Estonia-based bug bounty platform, said bugs reported in a vulnerability disclosure program (VDP) focused on Ukrainian assets will be sent to the Ukrainian authorities for remediation in order to bolster the nation against cyber-aggression from Russia or elsewhere.
Information about security flaws submitted to a second VDP dedicated to Russia’s “propaganda machine”, meanwhile, is being relayed to Ukrainian cyber forces so they can “remove false information” and “disseminate real facts” about the country’s ongoing invasion of Ukraine.
Although hackers who find bugs in Russian assets have been instructed to report them anonymously and not to exploit them themselves, some cybersecurity professionals have raised concerns about the programs.
Speaking on Twitter, one hacker declined to participate due to the potential risks of escalating the conflict, while another tweeted concern about the suggested Russian targets, which include SCADA systems and the telecommunications, banks, and energy sectors.
Mikko Hyppönen, chief research officer for Finnish cybersecurity firm F-Secure, told The Daily Swig: “There doesn’t seem to be any question about what HackenProof is doing: they are straight up promoting attacks against Russian targets, including DDoS against systems of Russian Railways.
“This is obvious, if you check the messages they post on their Telegram channel. I don’t think I've ever seen anything like this.
“It’s not surprising that people want to attack Russian targets in this situation. But it is surprising to see a bug bounty platform promote this.”
The Daily Swig spoke to another, Estonia-based cybersecurity professional who warned hackers against so-called cyber vigilantism because “who is going to protect them, and those impacted, if they go too far? This is why hack-backs are generally illegal”.
Asked about these concerns, HackenProof CEO Yevheniia Broshevan, who is Ukrainian, told The Daily Swig: “After the program was launched, we got feedback and decided to concentrate on countering disinformation. Now all hackers’ forces are focused on looking for ways to spread the real facts.”
Broshevan continued: “What’s important is that we’re not going to store or reuse any of the reported bugs or data. We’re giving a secured platform and dashboard for independent researchers that want to help Ukraine.”
US bug bounty platform HackerOne has encouraged its own “hacker community to consider participating in HackenProof’s program to strengthen the digital infrastructure of Ukraine”, but added “that HackerOne will NOT engage in offensive hacking”.
It has also pledged to “withdraw all programs for customers based in Russia, Belarus, and the occupied areas of Ukraine”.
“Unfortunately, Russia has started the biggest and most disastrous war in Europe since World War II,” said Broshevan. “It’s our obligation to protect Ukraine from Russian terrorists and their allies from Belarus.”
Broshevan added: “We want to stop Russian propaganda by letting people living in Russia stop consuming fake news and misinformation regarding the war in Ukraine.”
Bug hunters will not be paid bounties for discoveries on either program.
Broshevan added: “Cybersecurity specialists and white hat hackers worldwide want to help Ukraine in its fight for democratic and secure future and to this end they use all their skills and knowledge.”