Decriminalization of Ethical Hacking: How New Government Rules Change Responsibility for Cybersecurity in Ukraine
Time for Action has analyzed the new model for working with vulnerabilities in information systems that began to take shape after the government approved an updated procedure for searching and identifying vulnerabilities. This concerns a fundamental change in the state’s approach to cybersecurity, the responsibility of system owners, and the role of white hackers in protecting digital resources.
In practice, the state has, for the first time at the regulatory level, recognized that the search for vulnerabilities may be carried out without the consent of the system owner and at the same time not be considered an offense. The key condition is that such actions must not interfere with the operation of the system and must not involve exploitation of the identified vulnerability. It is precisely in this logic that Article 361 of the Criminal Code of Ukraine is now applied, which directly provides that actions are not considered unauthorized interference if they are carried out in accordance with the approved procedure for searching and identifying potential vulnerabilities.
Thus, ethical hacking ceases to be a grey zone. The state has allowed white hackers to test digital resources and publish technical reports on identified vulnerabilities. Moreover, the researcher is obliged within 24 hours to notify the system owner of the identified problem, as well as CERT-UA or a sectoral or regional CSIRT. It is also important that a bug hunter has the right to report a vulnerability anonymously or using a pseudonym, which reduces personal risks for researchers and stimulates community participation.
For owners and administrators of information systems, this means a radical change in conditions. Vulnerabilities can no longer be hidden or postponed. From now on, the search for vulnerabilities in state and critical systems must be ensured on a permanent basis. CERT-UA and CSIRT carry out continuous collection and analysis of information, maintain centralized registers, assess the impact of vulnerabilities within the national system for exchanging information on cyber incidents, and publish relevant data on their web resources.
A separate role in the new model is played by the State Service of Special Communications and Information Protection and the Security Service of Ukraine, which receive information on identified vulnerabilities and may formulate mandatory requirements for system owners. Additionally, control is strengthened through planned and unplanned scans of state information resources conducted by the State Cyber Protection Center. This means that cybersecurity is no longer an internal matter of a particular organization.
Under such conditions, the risk profile for state bodies and businesses changes significantly. The probability that a vulnerability will be detected by external actors increases sharply. If earlier a problem could remain unnoticed for years, now it is highly likely to be either found by a bug hunter or recorded by state structures. Ignoring vulnerabilities or responding too late may be interpreted as non-compliance with basic cybersecurity requirements, since vulnerability management is part of mandatory security measures.
In this logic, the absence of regular testing becomes particularly risky. It creates not only technical but also reputational and operational risks, especially given the expanded instruments of state control. The worst strategy in the new conditions is to wait until someone else finds the problem.
That is why the state is effectively stimulating a transition to proactive models of vulnerability management. This concerns controlled testing formats such as Bug Bounty, Bug Bash, and Vulnerability Disclosure Programs. Bug Bounty involves a permanent or long-term program for identifying vulnerabilities for a reward. Bug Bash refers to short-term or event-based formats, including hackathons. VDPs are volunteer programs in which white hackers report identified problems without financial motivation.
These tools allow organizations to be the first to learn about weaknesses, manage the remediation process, and reduce the risk of uncontrolled disclosure or forced intervention by state authorities. It is important that vulnerability searches can now be carried out with the involvement of the private sector on the basis of contracts with legal entities or individuals or within the framework of international assistance.
Post List
The practice of such approaches already exists in Ukraine. Coordinated vulnerability disclosure programs have been used to test the systems of the State Enterprise “State Logistics Operator” (DOT-Chain), state registers of the Ministry of Justice, the BankID system, the resources of the State Enterprise “PROZORRO” and authorized platforms. This indicates that the new rules are not declarative they scale mechanisms that already exist.
The extended conclusion of Time for Action is that the adopted decisions change the very philosophy of cybersecurity in Ukraine. The state is moving from a closed, reactive model to a system where transparency, public responsibility, and community involvement become the norm. For owners of information systems, this means the end of a passive approach. In the new reality, those who invest in proactive audits, systematic testing programs, and cooperation with the ethical community will benefit. As a result, risks are reduced, user trust increases, and the resilience of Ukraine’s digital space to cyberattacks is strengthened.
About the Author
Related posts:
New Land Payment Rules When Changing Property Owner: A Step Toward Transparency and Simplification 
How Currency Supervision Rules Are Changing: The Joint Initiative of the State Tax Service and the NBU 
Confiscation of Housing in the Occupied Territories: How Russia Is Changing the Rules of the Game 
What’s changing for Ukrainians in July: benefits, pharmacies, IDP status and new rules
