The Bug Bounty program of the national messenger Max, launched in July 2025, has yielded quantifiable results. According to data from Standoff365, 454 reports were received, of which 288 were accepted, identifying 213 vulnerabilities. Total payments to researchers exceed 21.9 million rubles, with an average reward close to 349 thousand rubles. Experts point out the usefulness of this initiative for strengthening the platform's security.
The Predominance of IDOR and Unauthorized Access 🕵️
The most repeated vulnerability in the findings was IDOR, or Insecure Direct Object Reference. This flaw allows a user to access data objects, such as messages or profiles, that do not belong to them, simply by manipulating identifiers in the request. Its frequency indicates an area for improvement in the backend's authorization validations. Max also participates in two other reward platforms, broadening the scrutiny of its code.
The Bug Hunters and Their New 'Remote Work' 💰
It seems that finding holes in Max has become a rather lucrative form of telework. With payments that could exceed the average salary in some regions, it's no wonder ethical hackers scrutinize every corner of the app with more dedication than a user looking for a sticker. The next time a contact sees your last message as seen, it might not be them, but a security researcher testing an IDOR. All for a reward.