Criminal Law Compliance with Cyber Resilience Testing of Information Systems (Penetration Testing and Bug Bounty)

Evgeny Aleksandrovich Russkevich

doi:10.17323/2713-2749.2026.1.141.163

Evgeny Aleksandrovich Russkevich Kutafin Moscow State Law University https://orcid.org/0000-0003-4587-8258

DOI: https://doi.org/10.17323/2713-2749.2026.1.141.163

Keywords: pentesting, bug bounty, computer crimes, criminal compliance, cybersecurity, white hat hackers

Abstract

The increasing dependence of individuals, society, and the state on digital technologies is driving a growing demand for computer system security services. A distinct cybersecurity market has already emerged in Russia, with estimated turnover in the multi-billion dollar range (at the end of 2024, the market size was 593.4 billion rubles). One significant segment of the industry is the provision of services related to comprehensive and in-depth testing of information systems for resistance to cyberattacks (penetration testing). At the same time, the practice of crowdsourcing information system security analysis (bug bounty) is rapidly developing, allowing anyone to participate in testing an information system and, if a vulnerability is discovered, receive a reward. The goal of this research is to develop theoretical recommendations and proposals for mitigating criminal risks arising during cybersecurity testing of information systems. The research is based on the application of general scientific and specialized methods (analysis, synthesis, induction, formal legal, abstract logical, etc.). In the absence of specific legal regulation, “ethical hackers” searching for vulnerabilities in information systems undoubtedly expose themselves to the risk of criminal prosecution. Therefore, addressing this issue requires defining a legal framework for cybersecurity testing of information systems. The paper concludes that, when testing the security of a computer system, a specialist possessing the necessary knowledge and relying on proven methods and tools strives to achieve a socially beneficial result. However, they always accept (even if only to a small degree) the risk of system failure with subsequent possible negative consequences, such as an emergency shutdown of automated process control systems, equipment failure, data destruction or blocking, etc. Such behavior by a specialist, as well as the corresponding consequences, fully complies with the provisions of criminal law on justified risk (Article 41 of the Criminal Code of the Russian Federation). Based on the research, the article offers several recommendations for mitigating the criminal risks of cybersecurity testing of information systems.

Author Biography

Evgeny Aleksandrovich Russkevich, Kutafin Moscow State Law University

Doctor of Sciences (Law), Kutafin Moscow State Law University, 9 Sadovaya-Kudrinskaya Str., Moscow 123342, Russia, russkevich@mail.ru

References

Begaev A.N., Begaev S.N., Fedotov V.A. (2018) Penetration Testing. Saint Petersburg: ITMO University, 45 p. (in Russ.)

Eryshov V.G., Larionets K.A. (2022) Main Stages, Methodologies, and Tools for Conducting Penetration Testing. In: Collection of Papers of the 2nd International Scholar Conference on Processing, Transmission, and Protection of Information in Computer Systems. S. l., no Publ., pp. 209–210 (in Russ.)

Fiorinelli G., Zucca V. (2024) Is the Road to Hell Paved with Good Intentions? A Criminological and Criminal Law Analysis of Prospective Regulation for Ethical Hacking in Italy and the EU. In: Proceedings of the 8th Italian Conference on Cyber Security. Available at: https://ceur-ws.org/Vol-3731/paper45.pdf

Kadam R., Roy B., Deepak S. T., Singh R. (2025) Bug Bounty Programs: A Comprehensive Meta-Analytical Review of Strategies, Challenges, and Future Directions. International Research Journal on Advanced Engineering Hub, vol. 3, pp. 3219–3229. DOI: https://doi.org/10.47392/IRJAEH.2025.0473

Kinis U. (2018) From Responsible Disclosure Policy towards State Regulated Responsible Vulnerability Disclosure Procedure: the Latvian approach. Computer Law & Security Review, vol. 34, no. 3, pp. 508–522. DOI: https://doi.org/10.1016/j.clsr.2017.11.003

Kuehn A., Mueller М. (2014) Analyzing Bug Bounty Programs: an Institutional Perspective on the Economics of Software Vulnerabilities. 2014 TPRC Conference Paper. DOI: https://doi.org/10.2139/ssrn.2418812

Laszka A., Zhao M., Malbari A., Grossklags J. (2018) The Rules of Engagement for Bug Bounty Programs. In: Financial Cryptography and Data Security International Conference Papers. Berlin: Springer, pp. 138–159. DOI: https://doi.org/10.1007/978-3-662-58387-6_8

Park S., Albert K. (2020) A Researcher’s Guide to Some Legal Risks of Security Research. The Cyberlaw Clinic at Harvard Law School, 31 p. Available at: https://clinic.cyber.harvard.edu/wp-content/uploads/2024/08/Security-Researchers-Guide-8-2-24.pdf

Polyakov V.V. (2024) Forensic Classification of Means of High-Tech Crimes. Vestnik Sankt-Peterburgskogo gosudarstvennogo universiteta. Pravo=Bulletin of the Saint Petersburg State University. Law, no. 2, pp. 435–453 (in Russ.) DOI: https://doi.org/10.21638/spbu14.2024.208

Pupillo A., Ferreira A., Varisco G. (2018) Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. In: CEPS Task Force Reports. Brussels: Centre for European Policy Studies. Available at: https://shorturl.at/qIrrX

Reddy P., Pelletier J. (2022) The Pentest Method for Business Intelligence. In: Papers of the Jubilee International Convention on Information, Communication and Electronic Technology, pp. 1117–1125. DOI: https://doi.org/10.23919/MIPRO55190.2022.9803788

Safonova M.F., Krivoshey D.N. (2024) Audit of Information and Cybersecurity: Regulatory Framework and Operational Problems. Mezhdunarodnyj bukhgalterskij uchet=International Accounting, no. 6, pp. 644–664 (in Russ.) DOI: https://doi.org/10.24891/ia.27.6.644

Smorodina E.P., Burtsev R.D., Zinchenko D.R., Netrebin A.E. (2023) Economic and Legal Basics of Ethical Hacking in the Russian Federation. Cifrovaya i otraslevaya ehkonomika=Digital and Industrial Economics, no. 2, pp. 116–122 (in Russ.)

Tudosi A.-D., Graur A., Balan D., Potorac A.D. (2023) Research on Security Weakness Using Penetration Testing in a Distributed Firewall. Sensors, vol. 23, no. 5, p. 2683. DOI: https://doi.org/10.3390/s23052683

Vostoupal J., Stupka V., Harasta J., Kasl F., Loutocky P., Malinka K. (2024) The Legal Aspects of Cybersecurity Vulnerability Disclosure: to the NIS 2 and beyond. Computer Law & Security Review. vol. 53. DOI: https://doi.org/10.1016/j.clsr.2024.105988

Zhalinsky A.E. (2009) Criminal Law in Anticipation of Change: Theoretical and Instrumental Analysis. 2nd ed. Moscow: Prospekt, 400 p. (in Russ.)