Security researchers have uncovered a staggering 213 vulnerabilities in Max, the state-backed messaging app of Russia, as part of a bug bounty initiative. This revelation came from Alexei Batyuk, CTO of Positive Technologies, during the international Svyaz-2026 exhibition, as reported by the Russian business daily Kommersant.
Effective Vulnerability Detection
Batyuk emphasized the efficacy of this approach, stating, “Practice has shown that this method is quite effective, because white-hat hackers and cyber researchers are motivated to find vulnerabilities and get paid for it.” The bug bounty program has been operational since July 1, 2025, and by April 10, the Bug Bounty Standoff365 platform had accepted 288 vulnerability reports, with total payouts nearing 22 million rubles.
A white-hat hacker involved in the vulnerability search shared insights with Kommersant, revealing that the most frequently identified flaws could allow unauthorized access to user data or actions through the substitution of object identifiers, such as message IDs, chat IDs, or user IDs.
In response to these findings, Max’s press service asserted that all user data is “reliably protected.” They further noted, “Bug bounty is a global standard and a sign of mature security: independent white-hat hackers help find and quickly fix vulnerabilities for a reward before malicious actors can exploit them.”
Against the backdrop of these developments, Russian authorities have been actively promoting Max, a messaging app launched by VK in March 2025. This promotion has coincided with Roskomnadzor’s efforts to block other popular messaging platforms, including Telegram and WhatsApp.
Despite the push for Max, the app has faced criticism regarding potential user surveillance and ongoing security vulnerabilities. As the landscape of digital communication continues to evolve, the efficacy of bug bounty programs may play a crucial role in enhancing the security of applications like Max.
