Hunting for Vulnerabilities in Bitrix24

A Strategic Shift Toward Open Security

Russian software company 1C‑Bitrix has launched a public bug‑bounty program for its cloud service Bitrix24, opening participation to any qualified researcher. Previously, security testing was limited to a closed group.

The company notes that the shift is crucial as the Russian IT sector remains one of the most targeted, with up to 9% of successful cyberattacks affecting software and cloud‑service providers. As supply‑chain attacks rise, the open model increases resilience and reduces client risk.

Bolstering Trust in Domestic SaaS

The public program is expected to increase trust in domestic SaaS platforms and may inspire other Russian vendors to adopt similar approaches. It also helps mitigate supply‑chain vulnerabilities, as IT companies are often entry points for cyberattacks on broader infrastructures.

The initiative contributes to the development of Russia’s bug‑bounty ecosystem and the pentesting community.

“It is critically important to protect retail infrastructure. Distributed systems, hundreds of integrations, and constant data exchange with external services make it an attractive target. Public bug‑bounty programs allow a wide circle of researchers to find vulnerabilities of varying severity. On our platform, more than 37 million rubles have been paid out as part of open retail programs. This format helps businesses fix real technical flaws before attackers exploit them.”

Aziz Alimov

head of Standoff Bug Bounty

Alignment with Global Standards

Between 2021 and 2023, Russia experienced several major data breaches caused by vulnerabilities in SaaS and cloud products, which fueled growing interest in domestic cybersecurity startups, security audits, and external penetration testing. This period saw rising demand for initiatives such as public bug-bounty programs as a proactive defense mechanism.

From 2022 to 2024, global SaaS companies like Atlassian, GitLab, and Microsoft expanded their bug‑bounty programs. 1C‑Bitrix follows these international best practices.

Meanwhile, Russia has seen a surge in cyberattacks—over 63,000 incidents in the first half of 2025, a 27% increase year‑over‑year—highlighting the need for external audits.

In November 2025, retailer Magnit shifted its bug‑bounty program on Standoff Bug Bounty to a public format, offering rewards of up to 120,000 rubles for high‑risk bugs and 250,000 rubles for critical ones.

A Potential Ripple Effect

The launch of Bitrix24’s public bug‑bounty program reflects the platform’s maturity. It may trigger other vendors—especially in SaaS, ERP, and corporate systems—to adopt similar models.

To sustain momentum, companies must ensure meaningful rewards, transparent triage processes, and timely patching. This initiative may strengthen Russia’s cybersecurity posture and technological sovereignty.