Hacking watch: Russian companies have increased demand for full-time "white" hackers
Russian companies have become more likely to hire so—called white hackers, specialists who identify vulnerabilities in the information infrastructure. The number of vacancies for them has increased by 20% this year, according to recruitment services. Such work is fraught with risks from the point of view of legislation on personal data and unlawful access to information, the lawyers recalled. The information about who is looking for "white" hackers and how much they are willing to pay them is in the Izvestia article.
Who are the "white" hackers?
Since the beginning of the year, about 200 vacancies for so-called white hackers (or pentesters) have appeared in Russia, which is 20% more than in the same period of 2024, the recruitment service told Izvestia. hh.ru . But experts point out that the need for such specialists has been even higher over the past year, and they are usually sought not in open sources, but "point—by-point."
The task of the pentesters is to identify vulnerabilities in the company's information systems using actions similar to the manipulations of intruders. Their specific requirements include knowledge of attack methods, security system circumventions, testing techniques, experience in finding vulnerabilities and working with appropriate scanning tools. Most often, IT companies and organizations that deal with financial technologies are looking for pentesters.
— The median salary offered in 2025 was 225 thousand rubles, a year ago it was 220 thousand rubles, — stated in hh.ru — But most often in vacancies for pentesters, employers do not specify a specific level of remuneration and are ready to discuss salary with the candidate.
99% of the applicants for the pentester position are men, according to the data from the SuperJob job search and recruitment service. The average age of a candidate is 31 years. More than half, or 57%, of them have higher education. According to the service, such specialists are most often sought in Moscow and St. Petersburg.
The work of a "white" hacker requires high technical qualifications, a deep understanding of the infrastructure and constant professional development, Kirill Pshenichnykh, director of the Avito Jobs Office Professions category, told Izvestia.
— And usually employers are looking for candidates with a specific set of competencies and often resort to recommendations, professional communities and industry events, — the expert explained.
The income level of such specialists can vary significantly, he stressed. It all depends on the specialization, qualifications, amount of responsibility, as well as the scale of the business and the region in which the company operates.
— That is why forks in this profession can be very wide: from small start—up offers to highly paid positions for experienced experts, - Kirill Pshenichnykh added.
The minimum wage for pentesters in St. Petersburg starts from 80 thousand rubles, and in Moscow - from 100 thousand rubles, according to SuperJob data. During the year, salaries for such specialists increased by an average of 8%.
— Although the profession of a pentester is not always reflected in the mass of vacancies on popular sites, it remains extremely significant and promising in the digital economy, — Kirill Pshenichnykh is sure.
Pentesters are always in demand in companies with a mature approach to ensuring the security of their resources, says Anton Kiselyov, head of the iTPROTECT Information Security Services Development Department.
— They are in demand, starting with the provision of penetration testing, ending with related areas where the experience of a specialist in this field is indispensable in building protection. This can be code vulnerability analysis, application testing, web service protection, analytics, and so on," the expert explained.
How else are they looking for vulnerabilities
In recent years, the Russian market has seen a steady increase in interest not only in pentests, but also in other types of ethical hacking, such as Bug Bounty programs, which involve specialists to test the IT infrastructure and find its vulnerabilities, Yulia Voronova, director of consulting at Positive Technologies, told Izvestia.
— This is due to the dynamically changing landscape of cyber threats, modernization and digitalization, which increase the vulnerability of infrastructures and business processes to cyber attacks. One of the most effective ways to assess the state of safety is to conduct such studies," she noted.,
In the last six months, according to Yulia Voronova, there has been a rapid increase in demand for cyber-testing through bug bounty platforms.
— They attract a lot of researchers and become an alternative to traditional pentests. Demand is growing not only among large institutional clients, but also in the middle segment," she explained. — The market is already aware of the need for such research, and bug bounty platforms effectively solve the problem of shortage of specialists.
Dmitry Livshin, Director of digital transformation at the FRESH automotive marketplace, told Izvestia about his readiness to challenge independent "white" hackers. The company participated in cyber-tests on the Russian Standoff Bug Bounty platform, where almost 25 thousand bug hunters from 60 countries are registered.
— Many people believe that a typical scenario of a cyberattack on an organization is an attack on its website. In fact, the list of threats is much longer. It's much worse if hackers get into our infrastructure, where they can steal customer data or launch an encryption virus that will make the internal systems involved in every car sale work," he explained.
In this case, the attackers can partially or completely paralyze the company's work for up to two weeks, and the damage will already be measured in tens of millions of rubles. Therefore, the company decided to give "white" hackers the opportunity to test their own resilience.
— Different ways of exposure are allowed. From remote ones, when a hacking attempt can be carried out over the Internet even from another country, to contact ones — for example, a hacker has the right to come to the FRESH car center, open a laptop and try to enter the system via a local Wi-Fi network. Social engineering is also not prohibited," Dmitry Livshin explained.
In just three years, over 100 vulnerability detection programs have been published on the Standoff Bug Bounty platform alone. From May 2022 to May 2025, the total amount of rewards amounted to 242 million rubles, it was announced at the Positive Hack Days international cyber festival. The maximum amount of remuneration on the platform is almost 4 million rubles, and the average payout for an accepted vulnerability is 58 thousand rubles.
Over the past year and a half, the number of "white" hackers on the platform has more than tripled.
— The bug bounty trend is actively growing, but the number of specialists capable of efficiently performing such tasks is increasing slightly, — said Yulia Voronova. — Platforms and marketplaces that unite researchers make it possible to effectively implement bug bounty programs. They provide a high-quality assessment with a guaranteed result, since payment is made only for the goals achieved, which is especially in demand by customers.
Responsibility for hackers
Although "white" hackers operate in the legal field, from the point of view of the law, there is a rather thin line between them and malicious hackers, the lawyers noted. There are three articles in the Criminal Code of the Russian Federation that can be applied, including to "white" hackers, explained Denis Saushkin, a lawyer and partner at BGP Litigation.
— First of all, this is Article 272 "Unlawful access to legally protected computer information and its copying." If you are a "white" hacker, hacked and copied some information without an agreement with the copyright holder, this is up to two years in prison. If the copied information contained medical, banking or commercial secrets, the penalty can be up to seven years in prison," he added.
In addition, there is art. 273 of the Criminal Code of the Russian Federation, which provides for criminal liability for the creation, use and distribution of malicious programs designed to destroy, block, modify or copy computer information without authorization. The minimum penalty is up to four years in prison. If these actions have led to a prolonged suspension of the company's activities or access to a legally protected secret has been obtained, this is up to seven years in prison.
According to the lawyer, illegal copying of personal data can result in imprisonment for up to four years. Or for a period of up to five years, if we are talking about the data of minors. Such data may include full name and phone number, SNILS number, or any other personal information.
— If you did not just copy this data to your personal hard drive, but uploaded it somewhere to a foreign service on the Internet, then the rates rise to eight years in prison. If you suddenly did this repeatedly together with classmates, among whom the roles are distributed, the law evaluates it as an organized group, the punishment can be up to ten years in prison," the lawyer explained.
In addition, Article 274 of the Criminal Code of the Russian Federation provides for punishment for unlawful impact on critical information infrastructure, which can amount to up to ten years in prison, added Fedor Muzalevsky, director of the RTM Group technical department.
— As of today, changes to the law regarding the actions of "white" hackers have not been adopted. That is, you can't just go out and advertise a website out of good intentions and then inform the business about it," he stressed.
When participating in events related to the penetration of other people's systems and computers, it is worth remembering that personal data is almost everywhere now, Denis Saushkin noted.
"Accordingly, any actions that will be in the system carry risks," he stressed.
To legally work as a "white" hacker, you need an agreement with the company and a clear technical specification. In addition, the customer must be the owner of the site that the hacker is testing, Fyodor Muzalevsky emphasized. Denis Saushkin recommended carefully studying the documents granting the "white" hacker the right to participate, copy and store information.
— The right to access any system must be secured. Moreover, the privacy policy may change in the future, so you need to download and store all documents granting this right. If you are doing a pentest for a company, it is advisable to get a scanned copy of the documents signed and stamped from the company's mail to your own mail," the lawyer explained.
Actions on legal bug bounty platforms involve registration and compliance with clear rules on the part of hackers, Fyodor Muzalevsky recalled.
In case of any questions from law enforcement officers, the pentester should immediately notify the management of the employing company, recalled Anna Voitsekhovich, director of the MTS Legal Risk Management Department. This, according to her, will help to correctly build a line of conduct and, if necessary, involve the security service and lawyers.
Переведено сервисом «Яндекс Переводчик»
