Security researchers find 213 vulnerabilities in Russia’s state-backed messaging app Max

Security researchers have identified 213 vulnerabilities in Russia’s state-backed messaging app Max through a bug bounty program, Positive Technologies CTO Alexei Batyuk said at the international Svyaz-2026 exhibition, the Russian business daily Kommersant reported.

“Practice has shown that this method is quite effective, because white-hat hackers and cyber researchers are motivated to find vulnerabilities and get paid for it,” Batyuk said.

The bug bounty search has been underway since July 1, 2025. As of April 10, the Bug Bounty Standoff365 platform’s Max page had accepted 288 vulnerability reports, with total payouts approaching 22 million rubles.

A white-hat hacker familiar with the vulnerability search told Kommersant that the most commonly found flaws allow unauthorized access to other users’ data or actions by substituting an object identifier — for example, a message ID, chat ID, or user ID.

Max’s press service stated that all user data is reliably protected. “Bug bounty is a global standard and a sign of mature security: independent white-hat hackers help find and quickly fix vulnerabilities for a reward before malicious actors can exploit them,” company representatives said.

Russian authorities have been actively promoting Max, a messaging app backed by the Russian state and launched by VK in March 2025. Against this backdrop, Roskomnadzor has been blocking other popular messaging apps, including Telegram and WhatsApp.

Max has repeatedly drawn criticism over concerns that it may surveil users, as well as over security vulnerabilities.