Responsibility FAQ for Exploiting Software Vulnerabilities in Russia

🖊️
this text is a translation of this article in Russian made by Valentina D.
✒️
co-authored with Artyom Romanenkov
🖨️
originally published in “Hacker” magazine

What are the risks of identifying vulnerabilities in someone else's software without the owner's consent? Is it possible to incur a fine for such activity? Is there any administrative or criminal liability for this? How can you minimize risks? Will the bug bounty program save you? We will try to answer all these questions, as well as see what the risks are for the customer himself.


In 2013, student Dejan Ornig discovered vulnerabilities in the TETRA encryption protocol and reported it to the police department. It remained silent for two years, until Ornig made information about his findings publicly available in 2015. As soon as the authorities became aware of this, charges were brought against him for hacking the protocol.

As a result, Deyan was found guilty and received a suspended sentence of imprisonment for a term of 15 months. An unexpected turn of events, right? It seems that the person found vulnerabilities, decided to do a good deed, reported them to the right people. But as a result, he received such “gratitude” from the authorities. And this is far from the only example.

What awaits a person who searches for and identifies vulnerabilities in third-party products? There are many options for the development of events. It all depends on the goals of the study. It’s one thing when someone did this “on order” from third parties who need such vulnerabilities for their own purposes (hello, Expocod!). Another is when someone works with the knowledge and consent of the service owner himself within the framework of bug bounty or another agreement. There are also frequent cases when someone finds vulnerabilities and tries to get money from the owner of the service in exchange for information about them.

If everything is more or less clear with bug bounty (since the rules of the game and the acceptable limits of research are set by the owner of the service), then in the absence of agreements, many questions may arise, primarily from the bug hunters themselves.

Is there any responsibility at all for researching and hacking someone else’s program, service, or network?

If we talk about current Russian laws, then there are such responsibilities. When a researcher tests someone else's product for vulnerabilities or penetrates someone else's network without the knowledge and consent of the owner, then in this case his actions may be regarded as unlawful. And the consequence of such actions may be the onset of various types of liability: civil, administrative and criminal.

Which laws are we talking about?

To a greater extent, the study of vulnerabilities (as well as possible liability in the event of illegal acts) concerns those laws that are listed below. Please note that this is not the entire list: this article does not address issues related to personal data, secrets protected by law (state, medical, banking, etc.) and some other issues. For now, we'll talk about the following three laws:

  1. Civil Code (part four);
  2. Code of Administrative Offenses;
  3. Criminal Code.

In which cases will a bug hunter be held liable?

It all depends on the specific circumstances of a case, as well as on the consequences that arose after a specific study (testing, hacking). Depending on them, it will be determined whether such actions of a bug hunter are an offense or not, a crime or not, whether he is subject to liability of the appropriate kind or not.

What do you need to know about civil liability?

First of all, you need to know that it can occur due to the following circumstances:

  1. the research entailed a violation of copyright;
  2. during the research, personal or property damage was caused;
  3. the terms of use (licensing terms) of the object under study were violated.

In most cases, the website or computer program under study is a full-fledged object of copyright. Consequently, its copyright holder has the exclusive right in relation to such an object (Article 1270 of the Civil Code of the Russian Federation). This means that, as a general rule, it is the copyright holder who determines whether his object can be copied (in whole or in part), or whether changes, distortions, or modifications can be made to it.

To understand, let’s imagine a situation: researching a web-service for vulnerabilities entailed copying part of the program code of such a service and storing it on the researcher’s own storage device. Such copying is the use of a copyrighted object (software code) by reproducing it. This means that, in fact, the copyrighted object was used by the researcher without the consent of the copyright holder. Formally, this will be considered a violation of the rights of the web-service owner.

Therefore, if during the vulnerability research there was (even fragmentary) copying, modification, change, or distortion of the copyright object under study, then formally this can be recognized as a violation of the exclusive right of its copyright holder to its object. Below is the simplest example from practice.

Terms of use of materials from the website registre.ru
https://www.registre.ru/copyright.html

Materials posted on the website www.registre.ru belong to Profdelo LLC and are prohibited from reprinting. In case of illegal reprinting of site materials, the violator pays the copyright holder a penalty in the amount of 10,000 rubles for each article or part of the article.

What is meant by “materials” is not clear. There is also no mention that this rule applies only to published articles. Therefore, if we imagine a situation that during testing of this website for vulnerabilities, some materials (be it the texts of unpublished articles, fragments of script code, etc.) were copied by a researcher, then with certain reservations it will be possible to say that when such copying violated the copyright of the owner of this website.

If we talk about the amount of liability for such a violation in monetary terms, it is defined in Article 1301 of the Civil Code of the Russian Federation:

• between 10,000 and 5,000,000 rubles (at the discretion of the court);
• twice the cost of a license for the object under study (for its use in the manner in which it was used during the study).

Liability can also be expressed in the form of compensation to the copyright holder for losses incurred during the research. However, the law does not limit the amount of such damages. Therefore, if the copyright holder can prove their amount (even if it is more than 5,000,000 rubles), then the declared amount will have to be paid. How losses will be proven is another question.

Option 2. Harm to person or property

In addition to copyright infringement, liability is also provided for damage to person or property (Chapter 59 of the Civil Code of the Russian Federation). As a general rule, harm caused to a person or a property of a citizen, as well as harm caused to a property of a legal entity, is subject to compensation in full by the person who caused the harm. In turn, the suspect is released from compensation for losses if he proves his innocence.

This can be explained more clearly like this. Let's imagine a situation: there is a software package that is responsible for the automatic supply of hot water to residential buildings. If vulnerability research caused the failure of this complex, then the owner will have the right to expect to recover from the researcher all losses incurred by him (including the cost of repairs and restarting of the equipment). If these same actions caused damage to property in those houses, the water supply, which is located within the computer program complex, then owners of the apartments will also count on recovering their losses.

That is, it should be understood that if, as a result of testing, an expensive and complex software product is disabled, then the consequences can be serious, as well as liability for them. And monetary penalties here can easily exceed the limits that we talked about when considering cases of copyright infringement.

Option 3. Violation of terms of use (license)

Often, the object of research (be it a website, software or other service) has its own terms of use. They may be called rules of use, terms of service, license agreement, etc. Under these conditions, additional responsibility may be provided for the user for the actions he performs in relation to the object of study.

See the example above about the "Profdelo" website. Although the copyright conditions are incorrectly written there, we can assume that in this case a researcher is liable for violating the terms of use of the website - 10,000 rubles for each article or part thereof.

In addition, we may be talking about compensation for losses to the owner of the necessary resource under study. A couple of examples for clarity.

Terms of use of the website
https://snob.ru/basement/term
The User undertakes to reimburse Snob Media LLC for losses, including legal costs, resulting from the User’s materials, non-compliance with the provisions of this Agreement or violation of the rights of third parties, regardless of whether the User is registered or not. The User is personally responsible for actions when using the Website, including, but not limited to, payment of the cost of Internet access during such use.

Terms of service
http://ru.besv.com/terms-of-service/
5.Compensation
In case of violation of these Terms of Service, as well as other legal requirements, in case of violation of the rights of third parties and when initiating legal proceedings as a result of such violation, you agree that the Company and its affiliates, managers, agents, employees, services or content providers, distributors and sellers are exempt from legal liability in connection with such a violation. You further agree to indemnify the foregoing entities for all losses, damages, civil liability and expenses (including reasonable attorney's fees and other legal costs) incurred as a result.

According to these texts, a researcher whose actions lead to losses for the owners of the sites snob.ru and ru.besv.com may be held liable for these losses. And, if proven guilty, he will be forced to pay damages.

There are even resources whose terms of use explicitly prohibit searching for vulnerabilities.

Rules and conditions for registration on the Masters of Taste website
https://mastersoftaste.club/legal
In particular, Users should not:
<…>

  • attempt to assess or test the vulnerability of the Website, as well as violate the security rules and user identification systems of the Website without the prior written consent of the Organizer

Terms of use (offer) of the website kartatalanta.ru
http://kartatalanta.ru/text/terms.php
By using the Webite, the Registered User undertakes not to violate or attempt to violate the information security of the Website, which includes:
<…>
5.2. attempts to check the vulnerability of the Website’s security system, violation of the registration and authorization procedure without the permission of the Contractor;

Therefore, before testing for the vulnerabilities of a specific software product, it would be a good idea to familiarize yourself with the rules for its use: see if they mention prohibitions on such actions and whether potential liability for them is indicated.

What is administrative responsibility?

The Code of Administrative Offenses of the Russian Federation contains an extensive list of possible violations in the field of information protection, among which two points can be distinguished.

Engagement in activities in the field of information protection (except for information constituting a state secret) without obtaining a special permit (license) in the prescribed manner, if such a permit (such license) is mandatory in accordance with federal law - 13.13 of the Code of Administrative Offenses. Possible liability: administrative fine of up to 1,000 rubles with or without confiscation of information security equipment (for individuals); up to 20,000 rubles with or without confiscation of information security equipment (for individuals).

Disclosure of information to which access is limited by federal law (except for cases where disclosure of such information entails criminal liability) by a person who has gained access to such information in connection with the performance of official or professional duties - 13.14 of the Code of Administrative Offenses. Possible liability: administrative fine of up to 1,000 rubles (for individuals) and up to 5,000 rubles (for officials).

Administrative liability may be imposed separately from civil liability. That is, some violations do not lie in the civil law plane, so formally one can also be held accountable if the corresponding offense is provided for in the Code of Administrative Offenses.

What is the criminal liability?

Criminal liability for crimes in the field of computer information is provided for in Chapter 28 of the Criminal Code of the Russian Federation and is applied when socially dangerous consequences occur. Let's start with Article 272 of the Criminal Code of the Russian Federation.

The Criminal Code of the Russian Federation, article 272. Unauthorized access to computer information

1. Unlawful access to computer information protected by law, if this act entailed the destruction, blocking, modification or copying of computer information, is punishable by a fine in the amount of up to two hundred thousand rubles or in the amount of the wages or other income of the convicted person for a period of up to eighteen months, or by correctional labor for a term up to one year, or restriction of freedom for a term of up to two years, or forced labor for a term of up to two years, or imprisonment for the same term.

According to it, only actions in the form of access to legally protected computer information can be punishable. The concept of access is given in Article 8 of the Federal Law “On Information, Information Technologies and Information Protection” dated July 27, 2006. No. 149-FZ, which means searching and obtaining any information in any forms and from any sources, subject to compliance with the requirements established by law.

Computer information (according to the Federal Law “On Amendments to the Criminal Code of the Russian Federation and Certain Legislative Acts of the Russian Federation” dated December 7, 2011 No. 420 Federal Law) means information (messages, data) presented in the form of electrical signals, regardless of the means of their storage, processing and transmission.

It is important to keep in mind that criminal prosecution is possible only if the actions of the perpetrator entailed material consequences: destruction, blocking, modification, copying of computer information. In the absence of such consequences of guilt in committing a crime under Art. 272 of the Criminal Code of the Russian Federation is excluded.

For example, if a citizen Ivanov, wanting to check the fidelity of his girlfriend, uses her (illegally obtained) login and password, accesses her email, views messages without taking action to copy, change or destroy information, then Ivanov will not be held liable under Art. 272 of the Criminal Code of the Russian Federation, since no socially dangerous consequences are seen in Ivanov’s actions. However, in such actions there may be another corpus delicti, which is provided for in Art. 138 of the Criminal Code of the Russian Federation “Violation of the secrecy of correspondence, telephone conversations, postal, telegraph or other messages.”

The Criminal Code of the Russian Federation also provides for criminal liability for the following acts:

The Criminal Code of the Russian Federation

Article 273. Creation, use and distribution of malicious computer programs

  1. The creation, distribution or use of computer programs or other computer information, knowingly intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of means of protecting computer information, is punishable by restriction of freedom for a term of up to four years, or forced labor for a term of up to four years, or imprisonment for the same period with a fine in the amount of up to two hundred thousand rubles or in the amount of wages or other income of the convicted person for a period of up to eighteen months.

Article 274. Violation of the rules for operating means of storing, processing or transmitting computer information and information and telecommunication networks

  1. Violation of the rules for operating means of storing, processing or transmitting protected computer information or information and telecommunication networks and terminal equipment, as well as rules for access to information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, causing major damage, is punishable by a fine in the amount up to five hundred thousand rubles or in the amount of wages or other income of the convicted person for a period of up to eighteen months, or by correctional labor for a term of six months to one year, or by restriction of freedom for a term of up to two years, or by forced labor for a term of up to two years, or imprisonment for the same period.

That is, the use of any malicious programs (trojans, keyloggers, etc.), as well as disruption of information networks or equipment during the study of a service or other software product, can also become a separate crime.

In aggravating circumstances (for example, an action was committed by a group of persons by prior conspiracy), or when grave consequences occur, or when an official position is abused, the punishment, as a rule, increases.

How can a researcher reduce the risk of liability?

Liability can be excluded in situations where the researcher’s actions do not violate the law, rights and legitimate interests of third parties. For example, the risks of liability can be reduced when the research is conducted with the knowledge and consent of the owner (copyright holder) of the software or the web-service being studied. This may be a written consent from the owner (a bilateral agreement or another written form of consent, at least electronic correspondence), or it may be a general agreement to carry out such activities (the bug bounty program will be precisely this kind of agreement). The main thing is that the researcher has at his disposal evidence confirming the fact of consent.

In addition, the research should not cause harm to the person or property of other third parties, or violate copyright. It is also worth reading the terms of use of the product under study, as they may contain provisions that could lead to additional troubles for the researcher in cases where he is brought to justice in court. This recommendation is also valid for bug bounty programs: after all, they can sometimes present surprises.

And of course, we should not forget that everything depends on the circumstances of a particular situation, so in different cases the answers to the same questions may differ.