Standoff Bug Bounty

Standoff Bug Bounty 2025 wrapped. Here's what the numbers say 🧐 We packed every payout, every vulnerability class, and every trend from the past year into a single report. The team combed through the platform and highlighted standout items, extending from researcher earnings, most common vulnerability types, all the way to where bug bounty is headed the rest of this year. We included tables and charts for clarity. What's inside: 📎 Who earned what and for which vulnerabilities 📎 The most critical flaws uncovered 📎 What's shifting in the bug bounty world in 2026 If you want to stay in the loop about how bug bounty is doing and what to pay attention to, check out the research in the link global.ptsecurity.com/en/research/an…

Kontur double payouts are live 🤑 From March 2 through March 31, qualifying bugs come with double payouts. This round targets the authentication system and account portal. Rewards for eligible vulnerabilities can reach $25,285. In scope: auth.kontur.ru identity.kontur.ru cabinet.kontur.ru api.kontur.ru/cabinet-api/* api.kontur.ru/auth/* Good to know: 〰️ Higher payouts apply only to the listed scope 〰️ Limit automated scanning to 5 RPS 〰️ Be sure to add the X-BugBounty: {standoff_username} header to all requests Snag vulnerabilities (bugbounty.standoff365.com/en-US/programs…) while double rates are active 😼

✉️ New message for you: hh.ru goes public on Standoff Bug Bounty Your dream job just landed — bugs and bounties are already waiting for you on the career platform. The program was previously open to a select group of researchers, but now hh.ru is opening its doors to every bug hunter out there. Earn up to $6,414 for discovered vulnerabilities 💰 What's in scope: • hh.ru • api.hh.ru • dev.hh.ru • talantix.ru • setka.ru • api.setka.ru Everything's set for the hunt. The only thing missing? Your report. Jump into Standoff Bug Bounty (bugbounty.standoff365.com/en-US/programs…) and make the internet safer 🔥

What is Standoff Hacks and how do you get in? 🤔 We sat down with one of our researchers, Hackerx007 @XHackerx007, to find out what participating in Standoff Hacks means to him. Dive into the amazing world of Standoff Hacks and explore it with us!  Read the interview, then join the contest for a chance to win an invite to a party abroad 😎 1⃣ What does participating in Standoff Hacks mean to you? A lot! It allows me to challenge myself and push my hacking mentality to the maximum level. It was my first LHE, so I didn't think I would win, but while hacking, I discovered a new part of my skills! Under pressure, you discover new skills that you didn't think you were capable of. So what does Standoff Hacks mean to me? It means confidence and challenge! Winning an LHE against 32 elite hackers showed me that under pressure we can do things we didn't think we could do. 2⃣ You have participated in Standoff Hacks before. What are the most vivid impressions you remember? The spirit, the community, and the management! When I met the other hackers, it felt like we'd known each other for a long time. Even though we were against each other, everyone was hoping the other would win! We had such a beautiful time together. And the program managers were with us — Elizaveta from T-Bank and Alexander from WB — giving their support. And you know what? We didn't even feel like they were the program owners. We were joking, having fun! And the support we got from the Positive Technologies team — Alex, Max, Masha — was amazing. Those moments and the time we spent, the laughs... it's unforgettable. 3⃣ What is most important to you at such events: victory, experience, money, or the community? Experience and community. As I said, I discovered things I didn't think I was able to do. I learned critical skills — working under pressure allows you to learn new things! Also the community — making new friends who think just like you. You know, all hackers around the world share the same way of thinking, and that makes the connection much easier. As I said, we felt like we'd known each other forever. We had a lot of fun! So making new friends and learning new things —that's what I'm looking forward to. 4⃣ How do you usually prepare for Standoff Hacks — or do you deliberately not prepare? I would love to take a break for a few days before the event, so I can recharge my energy and be ready to hack day and night! 5⃣ What is the most challenging part of Standoff Hacks: the lack of time or the competitive pressure? Neither! The most challenging thing is proving to yourself that you can do it. Anyone can win. I was challenging myself, because when I started, I didn't think I could win, but I was trying to prove to myself that I could do it! The time was enough for me, and working under pressure is beneficial — so the real challenge was proving to myself that I can and I will! 6⃣ What are you most looking forward to at Standoff Hacks in China: complex bugs, networking, or the atmosphere? I'm not greedy — all three of them! Finding critical bugs gives me confidence, making new friends and connections, and enjoying the time with other hackers! See you in China!

Standoff Hacks is almost here! 🔛 Want in? Standoff Hacks is our private two-week live hacking event — top researchers, closed corporate targets, serious rewards, and a final party somewhere in the world (TBA!). How to get an invite: ➡️ Hunt bugs in the OZON program: bugbounty.standoff365.com/en-US/programs… ➡️ Submit valid reports ➡️ Earn points ➡️ Increase your chances of getting one of the invitations That’s it 🎉 Dates Feb 20, 10:00 AM – Mar 6, 11:59 PM (Moscow Time) Go hunt! 🐞

New cyber testing program from Jet Infosystems 😎 You can now test one of the most complex enterprise infrastructures out there, and see how it holds up under pressure Key scenarios include: 🔵 Infrastructure control Domain administrator rights Virtualization access Server and backup management control 🔵 Protected privileged access perimeter access Isolation bypass Perimeter movement Protected perimeter network control What you need to know is: ➖OSINT and social engineering are allowed. ➖Phishing emails to @ jet[.]su are permitted. ➖ Only non-destructive methods are allowed. ➖ Clients and partners are out of scope. Do not target their systems. 💰 Earn as much as $19,588 in rewards Reward opportunities are available now, so jump in while the testing scope is still open: bugbounty.standoff365.com/en-US/programs… If you find a vulnerability, submit the report through the main bug bounty program: bugbounty.standoff365.com/en-US/programs…

43 ruble millionaire bug hunters on the Standoff Bug Bounty platform 🤵 Intrigued? Let's recap Standoff Bug Bounty's performance in 2025. 📈 Last year, the platform saw growth across every metric: 🔘 233 programs launched — that's 2.2x more than the previous year. The bug bounty market is expanding rapidly; we are seeing increased participation not just from online services, but also from offline businesses, IT vendors, and government organizations. 🔘 Hackers submitted 7,870 reports, with 2,909 were accepted — a 34% increase year-over-year. As usual, the financial sector drove the most activity. 🔘 2025 shattered other records as well: ➡️ The highest single payout was $65,000, and the average reward rose by 12%, reaching $860. 🔘 Access control remains the top priority. In 2025, 58% of high and critical severity vulnerabilities fell into this category. It remains the most persistent issue in the platform's history. 🔘 Total payouts reached $2,110,435 — a 49% increase over 2024. However, our biggest achievement isn't the data — it's you, the community. Thank you for your contributions!

Flowwow is open to all bug hunters 🌸 Want to check how secure the flower and gift marketplace is? You're in the right place: the Flowwow platform can now be tested by all researchers! What's in scope: 🟢 Main domain: flowwow.com APIs and subdomains: apis.flowwow.com, envio.flowwow.com, api2.flowwow.com, api-shop.flowwow.com, api-email.flowwow.com, clientweb.flowwow.com 🟢 Mobile apps for iOS and Android: Flowwow, Flowwow Seller, Flowwow for Couriers, Hoog (ERP system) Join the program to make Flowwow even safer: bugbounty.standoff365.com/en-US/programs… 😎

Happy New Year! 🎄 This year was full of solid finds, strong reports, and well-earned bounties. Thank you for every vulnerability uncovered, every late-night test, and every program you helped make more secure. In the new year, we wish you compelling scopes, fair triage, and bounties that truly make you smile. And of course, warm holidays with loved ones, cozy evenings, and plenty of tangerines. Thank you for being part of our bug bounty community. See you in 2026 with fresh energy, new opportunities, and even more great reports ✨

Bitrix24 is now live on Standoff Bug Bounty 👨‍💻 New target unlocked: explore a complete business ecosystem that covers everything from CRM to video calls and automation In scope: 🔗 Bitrix24 portal 🔗 Unique domain Added it to your calendar? Then head to Standoff Bug Bounty bugbounty.standoff365.com/programs/bitri… and help make business safer 💰

Maximum payouts 🔥 You can now earn up to 2x rewards for valid vulnerabilities. That means up to 10 million rubles for a critical finding! Yep, ten million. Not a typo. In scope: • Web app • Mobile app • Wildcard for all domains Want to make history and claim 10 million? Dive into the details and start hunting here bugbounty.standoff365.com/en-US/programs… ⬅️

New public program on Standoff Bug Bounty 😎 BCS Bank's bug bounty program is officially live and open to all hunters! bugbounty.standoff365.com/en-US/programs… Payouts by severity: Critical: up to RUB 250,000 High: up to RUB 120,000 Medium: up to RUB 50,000 Low: up to RUB 10,000 Scope: bcs-bank.ru lkbank.bcs.ru *.bcs-bank.ru Android and iOS apps (latest versions from bcs.ru) Perfect time to earn some extra cash for that beer advent calendar 😎

Security researcher interview 🖥️ We spoke with security researcher and bug hunter @m0m0x01d . He shared with us how he got started in bug bounty, who inspires him, and he offered some tips for beginner researchers.  1⃣ How did you get started with bug bounty? It all happened pretty naturally. I've always been curious about how things work and, over time, I began to also wonder why they fail. When I found out there were platforms that actually pay you to look for those failures, one of my hobbies turned into a job. 2⃣ How do you approach finding vulnerabilities, and what do you usually focus on? I usually start by figuring out the tech stack behind the app or website so I know what I'm dealing with and where weak spots are likely. I go after the simple, obvious issues first, the things that break with very little effort. After that, I slow down and spend more time on complex flows and edge cases.  3⃣ What types of bugs are the easiest for you to find right now? Mainly logic issues. You don't need advanced coding skills or certifications for those. You need a clear idea of how a feature is supposed to work and the habit of noticing when you can use it in a way the creators never planned.  Mainly logic issues. You don’t need advanced coding skills or certifications for those — just a clear understanding of how a feature is supposed to work, and the ability to notice when it can be used in a way the creators didn’t intend. 4⃣ What tools or techniques do you find most useful? I mostly use FFUF and a few small tools I built myself. Still, most of my findings come from manual testing. Tools just speed up the process — they’re helpful, but not essential. 5⃣ What channels, blogs, or resources do you follow to improve your skills? This field changes constantly. Every month brings new techniques and new CVEs, so keeping up with the latest updates is critical. OWASP is great for learning and skill growth, and vulnerability catalogs like dbugs.ptsecurity.com are very helpful for exploitation. 6⃣ Are there any researchers you particularly follow or draw inspiration from? There are many researchers I really respect, especially those who've mastered a specific domain. For example, OrwaGodFather is incredible at recon, Abdallah (HackerX007) excels at authorization issues, and shubs is brilliant with reverse engineering. But the person I admire most is Hussein98D. He's one of the most versatile hunters I've seen: he seems to adapt instantly to any new target, no matter the field. 7⃣ Which report has been the most memorable for you? The most meaningful one was my first accepted report. It was an HTTP parameter pollution issue in an old public program, and I couldn't believe I'd found something that had been there for so long. The payout was only $200, but it gave me a huge boost of confidence. That same week, I ended up reporting over $2,000 worth of issues. It showed me how one small win can push you to go much bigger. 8⃣ What advice would you give to beginners who are just getting started? Right now, there's a lot of inaccurate information online, especially from newer hunters making low-quality tutorials just for views. Many beginners end up building the wrong foundation because of it. If you really want to master the craft, focus on understanding how the things you're testing actually work. Learn how a website is built, try creating a simple one yourself. Get the basics down: what a vhost is, how DNS works, what a reverse proxy does, how a database talks to a server. All those small pieces add up, and once you understand the structure behind everything, finding real issues becomes much easier. Thanks to @m0m0x01d for the inspiring words! We're sure that after such detailed answers, there will be more bug hunters out there.

Turns out bug hunters are just entrepreneurs in hoodies 🤑   Kontur, one of the largest business ecosystems in Russia, is launching a public program on Standoff Bug Bounty.   Kontur’s ecosystem covers EDI, accounting, e-signatures, information security, fintech, online cash registers and other business solutions. All of that is now open for bug hunters to explore, with bounties paying as much as 1,000,000 rubles!   Ready to hunt? Start earning bounties bugbounty.standoff365.com/programs/kontur

Cyber evaluation program by ElectroResheniya ⚡️ Think you can stress-test the cyber resilience of a major electrical equipment manufacturer? This challenge is for you. Your mission: attempt to delete or encrypt backups and gain privileged access to the backup system. Top reward: up to RUB 800,000 for achieving a non-tolerable event. Rewards for intermediate results: — Starting at RUB 100,000 for compromising a corporate account and gaining persistence on a workstation. — Up to RUB 300,000 for demonstrating a way to disrupt the virtualization platform. Deadline: December 16, or the first successful non-tolerable event. Join Standoff Bug Bounty (bugbounty.standoff365.com/programs/elekt…) to help keep the lights on and the data safe. 💪

Searching for bugs caused by inconsistent HTTP request parsing across servers and proxies ⌨️ If you love finding collisions in HTTP request handling, HTTP Garden (github.com/narfindustries…) is just what you need! This tool compares how different HTTP servers and proxies interpret the same request. It's especially handy for spotting HTTP Request Smuggling and other bugs ⤵️ 1️⃣ Set up and run a few servers and proxies: ./garden.sh start --build gunicorn hyper nginx haproxy 2️⃣ Start the REPL: ./garden.sh repl 3️⃣ Send a test request through HAProxy (github.com/haproxy/haproxy) to Gunicorn, (github.com/benoitc/gunico…) Hyper, (github.com/hyperium/hyper/) and Nginx (github.com/nginx/nginx) servers and check whether their interpretations match: garden> payload 'GET / HTTP/1.1\r\nHOST: a\r\n\r\n' | transduce haproxy | fanout | grid ... Under the hood, there are 35+ web servers and 10+ proxies, along with features to find artifacts in different server combinations. #bugbountytips

Exploiting JSON Web Tokens: from theory to practice 🚀 A JWT is made up of three parts: header, payload, and signature. ➡️Header: declares the token type and the signing algorithm. ➡️Payload: holds claims, which come in three flavors: ▪️Standard: standard metadata about the token (purpose, issuer, expiration time) ▪️Custom: user data (name, email address, phone number) ▪️Non-standard: custom fields required for particular applications ➡️Signature: protects integrity, ensuring the header and payload haven't been tampered with. Most JWT vulnerabilities stem from misconfigurations and improper input validation during implementation. Let's dig in: 1⃣ alg: none (no signature): if the server accepts alg=none, you can strip the signature, tweak claims, and still get authenticated with an unsigned token. 2⃣ No signature verification: if signature validation is skipped, any tampered token is treated as valid. 3⃣ Algorithm confusion: changing the alg (for example, from RS256 to HS256) allows the public key to be used as an HMAC secret and forge the signature. 4⃣ JWK substitution: dynamically loading public keys (jwks.json) can be used to replace a key and accept maliciously signed tokens. 5⃣ Injection via kid: unsafe handling of the kid header can enable path/URL injection or force the verifier to pick the wrong key, letting forged tokens pass. { "alg": "RS256", "kid": "example-key' OR UNION SELECT 'users'; --" } 6⃣ Brute-forcing weak secrets — when using HMAC, weak or common secrets can be guessed by brute force. $ john --wordlist=/path/to/wordlist.txt jwt.txt 7⃣ Hardcoded keys — secrets found in source code allow creating valid tokens. Useful tools and resources: 🔗Introduction to JSON Web Tokens: #what-is-json-web-token" target="_blank" rel="nofollow noopener">jwt.io/introduction#w… 🔗Exploiting JWT vulnerabilities: A complete guide: intigriti.com/researchers/bl… 🔗 The JSON Web Token Toolkit v2: github.com/ticarpi/jwt_to… 🔗BurpSuite JWT Editor: portswigger.net/bappstore/26aa… 🔗 PortSwigger Web Security Academy: JWT attacks: portswigger.net/web-security/j… #bugbountytips