Hackers Found No Vulnerabilities in the MAX Messenger

A critical stress test

One of the core priorities for the developers of Russia’s national messenger MAX is ensuring user security. Recent testing confirmed that the application contains no critical vulnerabilities — and this conclusion came from independent hackers.

Earlier this month, the ZeroNights conference — one of Europe’s largest hands‑on cybersecurity events — hosted a strategic partnership with the MAX development team. Participants engaged in a Capture the Flag (CTF) competition, where teams searched for “flags” hidden across simulated vulnerability vectors closely resembling real-world infrastructure. Completing challenges awarded points.

Teams that solved at least three tasks received access to a closed MAX bug bounty program for enterprise users, with a 20% reward increase for any validated vulnerabilities. Participants could also earn additional payments of  $280 for vulnerabilities discovered in any VK Bug Bounty projects.

Full confidence in platform security

Following the event, no vulnerabilities were identified in the MAX messenger. As a result, the VK Bug Bounty team announced higher payouts for vulnerabilities found in the platform — now reaching up to approximately $112,000.

“MAX has a real opportunity to build its own model tailored to Russian conditions. The main objective is not to chase foreign super‑apps but to find a uniquely Russian path forward, leveraging the strengths of existing platforms.”

Henlung Zhao

co‑founder of IT company Rulla

This outcome sends an important signal across Russia’s IT sector. One of the country’s key digital infrastructure components has successfully passed an external stress test. This makes MAX significantly more appealing for corporate environments where data protection is a top priority — from private companies to government agencies.

Strong security posture may also support the platform’s advancement into international markets, although it would first need to undergo additional certification and compliance procedures.

A growing bug‑bounty market

Russia’s bug bounty ecosystem has expanded rapidly since 2022–2023. Demand from corporate clients continues to grow: companies gain insights into the resilience of their external infrastructure, while bug hunters receive financial rewards for validated discoveries. The departure of foreign vendors even accelerated the trend, opening opportunities for domestic platforms.

Positive Technologies is widely recognized as the pioneer of Russian bug bounty programs, followed by Innostage. Another major platform, BI.ZONE, was officially added to the national software registry in March 2023, making it eligible for deployment by state‑owned companies.

MAX keeps gaining traction

MAX launched in spring 2025 as a domestic alternative to foreign messaging platforms — envisioned not simply as a communication tool but as a multifunctional daily service workspace.

The app features deep integration with Russia’s “Gosuslugi” digital government services, and this integration continues to expand.

As of mid‑November, MAX had already reached 55 million users and was included in the list of priority domestic software. It remains operational even during mobile internet disruptions caused by hostile drone attacks. More than 13,000 large‑audience bloggers have opened channels on the platform — from singer Jasmine and actor Nikita Panfyolov to composer Ilya Ushullu and travel blogger Maxim Kudryashov.

The results of recent cybersecurity trials show that MAX is indeed a platform that can be trusted. However, to maintain this level of protection, regular repeat testing is essential — as attack tools continually evolve and security systems must evolve with them.