The government gives white hat hackers the green light: How systems will now be tested for vulnerabilities – guest column

By George Paparyha, an expert in coordinated vulnerability disclosure programs, explains in a column for AIN what will change following the new government decree allowing bug hunters to test systems for vulnerabilities without the owner’s consent.

In early December 2025, the Government of Ukraine approved a new Procedure for Searching and Identifying Vulnerabilities (Cabinet of Ministers Resolution No. 1580) and amended Resolution No. 497. These changes significantly alter the landscape for owners of information systems and mark a clear step toward the decriminalization of white-hat hacking (bughunting).

1. A “License to Hack” for White Hats

From now on, security researchers (white/ethical hackers, or bug hunters) are allowed to test systems without the consent of the owner or operator.

A brief legal context: Article 361 of the Criminal Code of Ukraine, which establishes liability for unauthorized interference with information systems or networks, explicitly states that actions carried out in accordance with the approved procedure for searching and identifying potential vulnerabilities are not considered unauthorized interference. That procedure is defined precisely by Resolution No. 1580.

As a result, a white hat hacker may legally search for vulnerabilities without the system owner’s permission, provided that:

• there is no interference with system operation, and

• there is no exploitation of the vulnerability.

Within 24 hours, the bug hunter must submit a notification or technical report to the system owner and to CERT-UA or the relevant sectoral/regional CSIRT.

An important step toward the community: researchers are allowed to report vulnerabilities anonymously or under a pseudonym.

In practice, the state has now authorized white hats to test digital resources and to publish technical reports on identified vulnerabilities.

2. Vulnerabilities Can No Longer Be Hidden or Ignored

First, owners and operators of state or critical information systems are now required to ensure continuous vulnerability discovery.

Second, CERT-UA and CSIRTs conduct on a regular basis collection and analysis of vulnerability information, maintain centralized registries, assess impact within the national cyber-incident information – sharing system, and publish relevant data on their websites.

CERT-UA informs the State Service of Special Communications and Information Protection (SSSCIP) and the Security Service of Ukraine (SBU) about discovered vulnerabilities. These authorities, in turn, issue mandatory remediation requirements to system owners and operators. Government inspections will also increase: the State Cyber Protection Center of the SSSCIP will conduct scheduled and unscheduled scans of state information resources. Vulnerability management is no longer an internal, closed matter for organizations.

In this context, the worst possible strategy is to wait until someone else finds the problem first.

3. How Risk Exposure Changes for Public Authorities and Companies

Higher likelihood of external discovery

If vulnerabilities could previously go unnoticed, they are now much more likely to be:

• discovered by bug hunters;

• identified and recorded by state authorities.

Increased liability for delayed response

Ignoring a reported vulnerability may be interpreted as failure to comply with basic security requirements, since vulnerability management is carried out as part of basic cybersecurity measures.

Lack of regular testing creates reputational and operational risks

Especially in a situation where state control bodies receive more tools for conducting inspections.

4. Why Organizations Should Act Proactively

The new rules effectively move Ukraine toward a model in which public responsibility for information security becomes the norm. What previously could remain in the shadows now changes fundamentally:

• white hat hackers can test systems without the owner’s consent;

• national cyber-incident response authorities collect, analyze, and disseminate vulnerability data;

• scheduled and unscheduled system scans become standard practice;

• information security is no longer controlled exclusively by the system owner or administrator.

In this model, the most effective approach is proactive auditing and controlled testing: penetration testing, Bug Bounty and Bug Bash programs, and Vulnerability Disclosure Programs (VDP). These mechanisms allow organizations to identify and remediate vulnerabilities in a managed way, before state intervention occurs.

The process is further simplified by allowing vulnerability discovery through the involvement of the private sector-via contracts with legal entities or individuals, or within international assistance programs (Resolution No. 1580).

It is important to note that Bug Bounty, Bug Bash, and VDP initiatives are typically run by dedicated program operators (Bug Bounty platforms) who engage ethical hackers, coordinate submission and analysis of vulnerabilities (triage), and provide remediation recommendations.

This year, such programs were repeatedly conducted for testing:

• systems of the State Logistics Operator of the Ministry of Defence of Ukraine (DOT-Chain) during the Kyiv International Cyber Resilience Forum (KICRF);

• State Registries managed by the SE National Information Systems of the Ministry of Justice of Ukraine

• the BankID authentication system of the National Bank of Ukraine, implemented in cooperation with partner banks – PUMB JSC and Vostok Bank PJSC;

• resources of Prozorro and its authorized marketplaces (conducted on an ongoing basis since 2019).

Conclusion

Building sustainable testing processes, Bug Bounty, Bug Bash, and VDP, creates a mechanism for early detection and timely remediation of technical vulnerabilities. Systematic community engagement and transparent information sharing directly enhance the resilience of digital services and reduce the overall attack surface of Ukraine’s cyberspace.

Ultimately, everyone benefits: the state, businesses, and users alike, because risks are reduced and trust and security levels increase.

Read more: Houston, we have an HR problem: Why European HR strategies stumble in the US — guest column