11 April 2026
Participants in the Bug Bounty program, which searches for flaws in IT systems, have identified 213 vulnerabilities in the government-controlled Max messaging app, Kommersant reports , citing Alexey Batyuk, Positive Technologies’ technical director for public sector development. “Experience has shown that this method is quite effective, as white hat hackers and cyber researchers are interested in finding vulnerabilities and getting paid for it… Currently, cyber researchers have submitted 213 vulnerability reports in this messaging app [Max],” he said at the Svyaz-2026 international exhibition.
According to one “white hat” hacker, the most common vulnerability encountered in the government messaging app is the IDOR vulnerability—a class of bugs that allows access to other people’s data by spoofing identifiers in server requests. According to a source familiar with Max security audits, this mechanism can open the door to other people’s messages, chats, and user files. The Bug Bounty page on Standoff365 lists the most expensive scenarios as “access to a specific user’s private messages,” “access to all Max user content,” and server vulnerabilities that leak protected personal data, including cases involving IDOR.
The platform also notes that vulnerability scanning for services has been in effect since July 1, 2025, and by April 10, 2026, 288 vulnerability reports had been accepted out of 459 submitted. White-hat hackers were paid almost 22 million rubles for their work (with an average payout of 349,000 rubles). The state messenger is also featured on two other platforms—Bi.Zone and CyberPolygon—which have paid out a total of approximately 1.5 million rubles.
Max , for its part, stated that attempts to portray the mere discovery of vulnerabilities as a “sensation” and a sign of insecurity distorts the purpose of bug bounty programs, as the purpose of such programs is precisely the controlled discovery and prompt elimination of potential risks. All Max user data is securely protected, the messenger’s press service asserts.
Even the brainwashed ruskie people knew why they didn’t want this app. This news will be the final nail in its coffin.
“All Max user data is securely protected, the messenger’s press service asserts.”
Of course it is, that’s why nobody is using it.
They forgot to mention that the kremlin is where the data is secured in.