Ukraine legalized vulnerability testing of systems without owners’ consent
In December 2025, the Ukrainian government approved a new regulation allowing white hackers to test information systems for vulnerabilities without the consent of their owners. This reduces cybersecurity risks and encourages more open collaboration between hackers and system owners.
The new government decree No. 1580, adopted in early December 2025, takes a significant step towards decriminalizing the activities of white hackers. From now on, according to Ukrainian legislation, white or ethical hackers can conduct vulnerability testing of information systems without the prior consent of the owner, provided there is no interference with the system’s operation. At the same time, bug hunters are obliged to report any discovered vulnerabilities to the system owner and relevant bodies, such as CERT-UA or regional CSIRT, within 24 hours.
This step helps avoid situations where vulnerabilities remain hidden or postponed. Owners of state and critical systems are now required to ensure continuous vulnerability detection. CERT-UA and CSIRT now maintain centralized registers, analyzing and publishing information about vulnerabilities discovered within the national cyber incident exchange system.
The changes introduce a new standard for vulnerability management, increasing the responsibility of state organizations and companies for timely responses. In the new system, failing to respond promptly to identified vulnerabilities may entail reputational and operational risks, as government bodies gain more opportunities for inspections.
Proactive risk management becomes a key success factor in the new situation. Pen tests, Bug Bounty and Bug Bash programs, as well as Vulnerability Disclosure Programs (VDP), become tools for identifying and eliminating vulnerabilities without government intervention. Such programs are already being used to test state systems, particularly during the Kyiv International Cybersecurity Forum in 2025.
Overall, the implementation of sustainable vulnerability testing processes involving the expert community enhances the security of Ukraine’s cyberspace and reduces risks for all participants in the digital ecosystem.
| Decree | Changes | Consequences |
|---|---|---|
| No. 1580 | Allows testing without consent | Decriminalization of white hackers’ activities |
| No. 497 | Vulnerability management mechanisms | Reduction of cybersecurity risks |
