Russia’s Vulnerability Market Hits a Quarter-Billion Rubles—All Legally
Three Years of Standoff Bug Bounty in Review
At the international cybersecurity festival Positive Hack Days, the Standoff Bug Bounty platform summarized its results. From May 2022 to May 2025, nearly 25,000 security researchers from 60 countries registered on the platform, earning a total of 242 million rubles in bounties for discovered vulnerabilities.Key Achievements
- 100+ vulnerability research programs launched, including initiatives analyzing critical failure scenarios.
- Clients span small businesses, major marketplaces, media holdings, government agencies, and regional administrations.
- Surge in activity since late 2023:
- 3x increase in unique vulnerability reports accepted by clients.
- 520 critical vulnerabilities identified.
- 10,900 total reports submitted—5x more than just 1.5 years ago.
- Standoff Bug Bounty remains the leader among Russian platforms in these metrics.
Rewards & Growth
- Average payout per accepted vulnerability: 58,000 rubles.
- Highest single bounty: Nearly 4 million rubles—a record for Russia’s bug bounty market and a 39% increase from 2023.
- Global reach: Researchers from Asia, CIS, Middle East, Europe, Africa, and Latin America participate.
- Community expansion: The number of ethical hackers has tripled in the past 1.5 years, reflecting growing engagement.
Industry Trends
- 2023: Most reports came from IT companies.
- 2024: Retail sector took the lead, signaling broader industry participation in vulnerability management.
Award Ceremony & Future Outlook
On May 24, the festival’s main stage at Luzhniki hosted an award ceremony for top-performing companies in Standoff Bug Bounty. Anatoly Ivanov, head of the platform, emphasized that the past three years have not only grown the service but also established a responsible vulnerability disclosure market.Companies once hesitant about public bug reporting now systematically collaborate with researchers, setting an example for others. Additionally, The Standoff cyber exercises have gone online, allowing year-round security testing for participating organizations.
