On the Standoff365 platform, white hat hackers submitted 213 reports on vulnerabilities in the Max messenger, said Alexey Batyuk, Technical Director of Positive Technologies, at the Svyaz-2026 exhibition. The total amount of payments to researchers under the Bug Bounty program since July 2025 has reached almost 22 million rubles, with an average check for a found vulnerability of 349 thousand, writes Kommersant.
The most frequent attack vector is IDOR, which allows obtaining access to other people's messages or data by substituting an identifier. The Max press service retorts: the very fact of findings within a controlled search is not a scandal, but a sign of mature security. Each report is checked, and vulnerabilities are eliminated as a matter of priority, the developers assure.
The Bug Bounty program for the national messenger is deployed on three proving grounds, including Bi.Zone and Cyberpolygon, with a total payout fund of about 23.5 million rubles. This is a classic method of cleaning up code before vulnerabilities are discovered by attackers. The fact that hundreds of vulnerabilities were discovered in a product positioned as a secure channel for government agencies raises questions about the quality of the original architecture, but the platform demonstrates a willingness to pay for mistakes rather than sweep them under the rug.
