White hat hackers of Kazakhstan can legally hack information systems not only of private, but also of state companies. This right was granted to them in December 2023, when legislative amendments became effective, which, among other things, regulate the work of white hat hackers. Researcher of information systems Katerina Shevchenko and president of the Centre for Analysis and Investigation of Cyber Attacks (TSARKA) Olzhas Satiyev told in detail how ethical hackers work.
Who white hat hackers are and why they are needed
Specialists in security testing, also known as information security researchers, also known as white hat hackers are the people who research IT systems and find vulnerabilities in them. But, unlike black hat hackers, they do it ethically: they hack websites with the consent of companies, and tell about the flaws in the system so that the owners of internet resources could remove them and avoid real hacking attacks in the future.
According to Katerina Shevchenko, white hat hackers take the same website as any other user, and see it not as a source of information, but as a functionality that needs to be studied and hacked. Afterwards, hackers make a report to the owners so that they could fix the flaws. There is a belief that nothing is unhackable – anything can be hacked. According to her, vulnerabilities can be always found, yet they can be different: low, middle and high level of severity.
Olzhas Satiyev cited a story, when several years ago a researcher found out how to penetrate the system and turn off cold and hot water in Astana, capital of Kazakhstan, it was a critical severity vulnerability. One more example is when during the testing of information systems in a bank it was found out that the recorded conversations, which contained information about card numbers and personal data, between the call centre operator and the customer could be wiretapped.
How white hat hackers work
There is a private platform BugBounty working in Kazakhstan, which allows the owners of internet resources to meet with white hat hackers. The owners, via the platform, authorise ethical hackers to hack their systems without destroying the system.
Olzhas Satiyev explains how it works. First, the system owner enters into a contract with the platform, pays for the participation in the programme (placement on the BugBounty platform), and allocates a budget payable to white hat hackers. Hackers search for vulnerabilities in the company’s system, submit reports and get the reward.
There is a public offer for white hat hackers, which are over 2,500 on the platform, that contains clauses regarding NDA (non-disclosure agreement) and the liability for any damage caused.
Both state (they receive services free of charge – see below) and private companies may join the platform.
“Now the platform has state information systems, banks of five countries, telecom operators, e.g. Kcell. There are small medical organisations there. So, basically, anyone can join the system if they are willing to pay a reward and if their information systems are vulnerable,” said Satiyev.
Is such ethical hacking safe and what hackers are not allowed to do?
According to Olzhas Satiyev, such tests pose no risks for the companies. The case is that every day various hacker groups try to attack Kazakhstan-based state resources and private organisations. In case of white hat hackers, the state and companies provide a legal opportunity to find vulnerabilities before fraudsters do.
Moreover, special rules apply to hackers on the platform. For example, specialists may not disclose information about a detected vulnerability before its fixing, perform DDoS attacks, use aggressive tests and social engineering on their customers. Also, all personal data that may have been received accidentally during a test must be removed.
According to Katerina Shevchenko, specialists test only the information system perimeter that was authorised by the owner company. Also, ethical hackers must report every vulnerability they find.
If a person hacks websites for their own purposes (e.g. to sell the information on the darknet), they can be fined for 590 thousand tenge (1,245 dollars) and more. And if it leads to heavy consequences, they may face an imprisonment for up to three years.
What is the cost of hiring a white hat hacker?
According to Katerina Shevchenko, the cost of services of ethical hackers on the staff of companies varies and depend on the experience of the specialist. An entrant employee may earn from 250 thousand tenge (520 dollars), a senior – from one and a half to two million tenge (3,120-4,160 dollars).
On the BugBounty programme, the cost of services also varies and depends on the vulnerabilities found. For example, the work of the specialist who finds a low severity vulnerability will cost up to 200 dollars, a medium severity – from 200 dollars to 1,000 dollars, a high severity – 1,000 dollars and more. Olzhas Satiyev said that some programme researchers could earn about 5,000 dollars. In foreign countries, they pay much more for finding vulnerabilities.
If an ordinary person, not a professional hacker, finds a vulnerability, he/she can tell about it via BugBounty and get a reward instead of selling this information on the darknet.
“Akimat (mayor’s offices) of various towns have services, where you can send requests and photos of potholes or any other problems in town. And they say to you that they will fix the problem. The same thing happens in the infrastructure, there is an opportunity to ‘report’ report some vulnerability, leak of personal data of citizens, while the owner of the system should fix it all. Moreover, you can get a reward for that,” Olzhas Satiyev said.
How much private companies pay for participation in the BugBounty programme
Amounts vary greatly here. They depend on the quantity of information systems and the scope of work – it will cost 20 thousand dollars per year for some, or 200 thousand dollars for others, said the president of the Centre for Analysis of Cyber Attacks.
“We should take into account that it is a new programme in Kazakhstan, and [companies’ budgets for this purpose] are limited. Many just get the taste of it. Speaking about foreign companies, they pay millions of dollars per year for their confidence because they are sure that a great number of independent researchers try to find their vulnerability 24/7,” said Olzhas Satiyev.
The state does not pay for participation in the programme, said Ruslan Abdikalikov, chair of the Information Security Committee. According to him, hackers report vulnerabilities free of charge to the owners of BugBounty, while TSARKA provide them free of charge to the state.
“Whatever we get from them, we get from white hat hackers on their free will, and we appreciate them so much,” Abdikalikov said.
The State Committee for Information Security issues certificates to the most active researchers, but the state does not pay bonuses to them as it does not have it in their budget.
How information security amendments affect the work of white hat hackers
The most important thing that happened with the passing of the new law, which legalised the white hat institute, is the acceleration of the process of search and fixing of vulnerabilities. During the pilot project, researchers reported about 3,000 vulnerabilities. According to Olzhas Satiyev, the ministry of digital development, state technical service, or TSARKA would be able to find so many vulnerabilities for such a short time in the Kazakhstan segment.
Moreover, new vulnerabilities appear in different systems every day. Once researchers find them, they check which state resources or critically important infrastructure in Kazakhstan are exposed to them. Afterwards, they test the systems and submit reports. If this work could take a few months previously, now it takes only a couple of days.
This publication was funded by the European Union. Its contents are the sole responsibility of IWPR and do not necessarily reflect the views of the European Union.