The announcement that 213 vulnerabilities were identified in the Russian state-backed messaging app Max came at the international Svyaz-2026 exhibition and was reported by Kommersant. Positive Technologies CTO Alexei Batyuk said the discoveries resulted from a coordinated bug bounty effort that invited external security researchers to probe the service for weaknesses. The program, hosted on the Bug Bounty Standoff365 platform, began on July 1, 2026, and by April 10 the platform’s Max page had registered 288 accepted reports and payouts that were approaching 22 million rubles.
Organizers and outside experts framed the initiative as a practical way to harden the app: paying researchers creates an incentive to find flaws before malicious actors can exploit them. According to statements in the press, the bug bounty process is considered a mainstream security practice. At the same time, Max operates in a politically and technically charged environment, with regulators and critics watching its deployment and reception closely.
The bug bounty findings and technical patterns
The accepted reports led to the confirmation of 213 distinct vulnerabilities, with researchers describing recurring patterns in the types of problems discovered. A white-hat hacker speaking to Kommersant explained that many of the most common weaknesses allowed unauthorized access or actions by manipulating a simple identifier. In practical terms attackers could swap a message ID, chat ID or user ID — examples of what is known generally as an object identifier — and thereby retrieve or affect data they should not be able to reach. These are classic access control and authorization issues that can be severe if left unpatched.
What the vulnerability types mean
Substituting an object identifier is a common technique because many systems rely on predictable or insufficiently validated identifiers to serve content or execute actions. When a service fails to verify that a requester actually owns or is permitted to touch the object referenced by an identifier, it creates a pathway for unauthorized data exposure or manipulation. The researchers also reported a variety of other flaws, though the identifier-substitution category was singled out as particularly frequent and impactful in the reports accepted by the Bug Bounty Standoff365 page for Max.
Official responses and wider context
Max‘s press service responded that user data is reliably protected and framed the bug bounty as evidence of mature security hygiene: third-party researchers help find and fix issues in advance of exploitation. Company representatives emphasized that a paid bounty program is a global norm and described the process as an opportunity to remediate findings quickly. Meanwhile, security professionals and privacy advocates have previously criticized Max over concerns that the app could be used for state surveillance, and ongoing public debate mixes technical risk with political worries.
Promotion, platform dynamics and regulatory pressure
The rollout of Max, which was launched by VK in March 2026 and is backed by the state, has taken place against a backdrop of regulatory maneuvers. Russian authorities, including Roskomnadzor, have actively promoted the app while simultaneously blocking competing messaging services such as Telegram and WhatsApp in certain cases. These measures have increased attention on Max‘s security posture and amplified concerns about privacy and oversight.
Implications and transparency from the newsroom
The discovery of 213 vulnerabilities via a public bounty illustrates how open reporting channels can expose systemic issues that might otherwise remain hidden. For organizations running similar programs, the experience with Max reinforces the value of incentives and the need for robust remediation workflows: accepting reports is only the first step, patching and verifying fixes is what ultimately reduces risk. The reported volume — 288 accepted submissions and payouts approaching 22 million rubles — also underlines the scale at which coordinated security testing can operate when financial rewards are offered.
About this article and reader information
At Meduza, we aim to be transparent about how we produce and translate content. The story you are reading was written by a human journalist and translated from Russian using an AI model tuned to follow editorial standards; every machine draft is reviewed by a Meduza editor to ensure accuracy and tone. If you notice any errors in this translation, please contact us at [email protected]. For ongoing English-language coverage from Meduza, consider subscribing to the newsletter for direct updates and exclusives.