BCS Bank is back on Standoff Bug Bounty 🔥 The program is open to all bug hunters. If you've been eyeing a bank scope, now's a good time to jump in. Current payouts: Critical, up to $3,350 High, up to $1,610 Medium, up to $670 Low, up to $135 Info, no reward Scope: bcs-bank.ru/ lk.bcs-bank.ru/ *.bcs-bank.ru Android and iOS apps (latest versions from bcs.ru) BCS Bank's attack surface is open for testing. Get hunting and get paid (bugbounty.standoff365.com/pr…) 💰

That's us at Hacks. Back home now 👍 The event's over, but the energy's sticking with us. Here's a little video from day two so you can get a taste of it—the buzz, the drive, and the community. See you at the next Hacks. New location, same electric vibe 🔛

Standoff Hacks Finals. Shanghai, Day 2 🇨🇳 Top 3: 🥇 r0hack — MVP of Standoff Hacks 🥈 freeman 🥉 BlackFan MVPs by program: 🏆 BlackFan — T-Bank 🏆 brain — VK 🏆 hussein98d — Jet Infosystems 🏆 Antart — Bitrix24 30 top bug hunters 350 reports $300K in bounties Two weeks of high-intensity work: hundreds of submissions, rigorous triage, and real-world impact. Huge thanks to every researcher who kept the pace all the way to the finals. The next Standoff Hacks… coming soon 👀

Standoff Hacks | Shanghai | Day 1 🇨🇳 Sharing the vibe. Everyone’s here. Before the finals — warming up at Shanghai Disneyland, then a cozy hot pot dinner 🎢

Standoff Bug Bounty 2025 wrapped. Here's what the numbers say 🧐 We packed every payout, every vulnerability class, and every trend from the past year into a single report. The team combed through the platform and highlighted standout items, extending from researcher earnings, most common vulnerability types, all the way to where bug bounty is headed the rest of this year. We included tables and charts for clarity. What's inside: 📎 Who earned what and for which vulnerabilities 📎 The most critical flaws uncovered 📎 What's shifting in the bug bounty world in 2026 If you want to stay in the loop about how bug bounty is doing and what to pay attention to, check out the research in the link global.ptsecurity.com/en/res…

Kontur double payouts are live 🤑 From March 2 through March 31, qualifying bugs come with double payouts. This round targets the authentication system and account portal. Rewards for eligible vulnerabilities can reach $25,285. In scope: auth.kontur.ru identity.kontur.ru cabinet.kontur.ru api.kontur.ru/cabinet-api/* api.kontur.ru/auth/* Good to know: 〰️ Higher payouts apply only to the listed scope 〰️ Limit automated scanning to 5 RPS 〰️ Be sure to add the X-BugBounty: {standoff_username} header to all requests Snag vulnerabilities (bugbounty.standoff365.com/en…) while double rates are active 😼

✉️ New message for you: hh.ru goes public on Standoff Bug Bounty Your dream job just landed — bugs and bounties are already waiting for you on the career platform. The program was previously open to a select group of researchers, but now hh.ru is opening its doors to every bug hunter out there. Earn up to $6,414 for discovered vulnerabilities 💰 What's in scope: • hh.ru • api.hh.ru • dev.hh.ru • talantix.ru • setka.ru • api.setka.ru Everything's set for the hunt. The only thing missing? Your report. Jump into Standoff Bug Bounty (bugbounty.standoff365.com/en…) and make the internet safer 🔥

What is Standoff Hacks and how do you get in? 🤔 We sat down with one of our researchers, Hackerx007 @XHackerx007, to find out what participating in Standoff Hacks means to him. Dive into the amazing world of Standoff Hacks and explore it with us!  Read the interview, then join the contest for a chance to win an invite to a party abroad 😎 1⃣ What does participating in Standoff Hacks mean to you? A lot! It allows me to challenge myself and push my hacking mentality to the maximum level. It was my first LHE, so I didn't think I would win, but while hacking, I discovered a new part of my skills! Under pressure, you discover new skills that you didn't think you were capable of. So what does Standoff Hacks mean to me? It means confidence and challenge! Winning an LHE against 32 elite hackers showed me that under pressure we can do things we didn't think we could do. 2⃣ You have participated in Standoff Hacks before. What are the most vivid impressions you remember? The spirit, the community, and the management! When I met the other hackers, it felt like we'd known each other for a long time. Even though we were against each other, everyone was hoping the other would win! We had such a beautiful time together. And the program managers were with us — Elizaveta from T-Bank and Alexander from WB — giving their support. And you know what? We didn't even feel like they were the program owners. We were joking, having fun! And the support we got from the Positive Technologies team — Alex, Max, Masha — was amazing. Those moments and the time we spent, the laughs... it's unforgettable. 3⃣ What is most important to you at such events: victory, experience, money, or the community? Experience and community. As I said, I discovered things I didn't think I was able to do. I learned critical skills — working under pressure allows you to learn new things! Also the community — making new friends who think just like you. You know, all hackers around the world share the same way of thinking, and that makes the connection much easier. As I said, we felt like we'd known each other forever. We had a lot of fun! So making new friends and learning new things —that's what I'm looking forward to. 4⃣ How do you usually prepare for Standoff Hacks — or do you deliberately not prepare? I would love to take a break for a few days before the event, so I can recharge my energy and be ready to hack day and night! 5⃣ What is the most challenging part of Standoff Hacks: the lack of time or the competitive pressure? Neither! The most challenging thing is proving to yourself that you can do it. Anyone can win. I was challenging myself, because when I started, I didn't think I could win, but I was trying to prove to myself that I could do it! The time was enough for me, and working under pressure is beneficial — so the real challenge was proving to myself that I can and I will! 6⃣ What are you most looking forward to at Standoff Hacks in China: complex bugs, networking, or the atmosphere? I'm not greedy — all three of them! Finding critical bugs gives me confidence, making new friends and connections, and enjoying the time with other hackers! See you in China!

Standoff Hacks is almost here! 🔛 Want in? Standoff Hacks is our private two-week live hacking event — top researchers, closed corporate targets, serious rewards, and a final party somewhere in the world (TBA!). How to get an invite: ➡️ Hunt bugs in the OZON program: bugbounty.standoff365.com/en… ➡️ Submit valid reports ➡️ Earn points ➡️ Increase your chances of getting one of the invitations That’s it 🎉 Dates Feb 20, 10:00 AM – Mar 6, 11:59 PM (Moscow Time) Go hunt! 🐞

New cyber testing program from Jet Infosystems 😎 You can now test one of the most complex enterprise infrastructures out there, and see how it holds up under pressure Key scenarios include: 🔵 Infrastructure control Domain administrator rights Virtualization access Server and backup management control 🔵 Protected privileged access perimeter access Isolation bypass Perimeter movement Protected perimeter network control What you need to know is: ➖OSINT and social engineering are allowed. ➖Phishing emails to @ jet[.]su are permitted. ➖ Only non-destructive methods are allowed. ➖ Clients and partners are out of scope. Do not target their systems. 💰 Earn as much as $19,588 in rewards Reward opportunities are available now, so jump in while the testing scope is still open: bugbounty.standoff365.com/en… If you find a vulnerability, submit the report through the main bug bounty program: bugbounty.standoff365.com/en…

43 ruble millionaire bug hunters on the Standoff Bug Bounty platform 🤵 Intrigued? Let's recap Standoff Bug Bounty's performance in 2025. 📈 Last year, the platform saw growth across every metric: 🔘 233 programs launched — that's 2.2x more than the previous year. The bug bounty market is expanding rapidly; we are seeing increased participation not just from online services, but also from offline businesses, IT vendors, and government organizations. 🔘 Hackers submitted 7,870 reports, with 2,909 were accepted — a 34% increase year-over-year. As usual, the financial sector drove the most activity. 🔘 2025 shattered other records as well: ➡️ The highest single payout was $65,000, and the average reward rose by 12%, reaching $860. 🔘 Access control remains the top priority. In 2025, 58% of high and critical severity vulnerabilities fell into this category. It remains the most persistent issue in the platform's history. 🔘 Total payouts reached $2,110,435 — a 49% increase over 2024. However, our biggest achievement isn't the data — it's you, the community. Thank you for your contributions!

Flowwow is open to all bug hunters 🌸 Want to check how secure the flower and gift marketplace is? You're in the right place: the Flowwow platform can now be tested by all researchers! What's in scope: 🟢 Main domain: flowwow.com APIs and subdomains: apis.flowwow.com, envio.flowwow.com, api2.flowwow.com, api-shop.flowwow.com, api-email.flowwow.com, clientweb.flowwow.com 🟢 Mobile apps for iOS and Android: Flowwow, Flowwow Seller, Flowwow for Couriers, Hoog (ERP system) Join the program to make Flowwow even safer: bugbounty.standoff365.com/en… 😎

Happy New Year! 🎄 This year was full of solid finds, strong reports, and well-earned bounties. Thank you for every vulnerability uncovered, every late-night test, and every program you helped make more secure. In the new year, we wish you compelling scopes, fair triage, and bounties that truly make you smile. And of course, warm holidays with loved ones, cozy evenings, and plenty of tangerines. Thank you for being part of our bug bounty community. See you in 2026 with fresh energy, new opportunities, and even more great reports ✨

Bitrix24 is now live on Standoff Bug Bounty 👨‍💻 New target unlocked: explore a complete business ecosystem that covers everything from CRM to video calls and automation In scope: 🔗 Bitrix24 portal 🔗 Unique domain Added it to your calendar? Then head to Standoff Bug Bounty bugbounty.standoff365.com/pr… and help make business safer 💰

Maximum payouts 🔥 You can now earn up to 2x rewards for valid vulnerabilities. That means up to 10 million rubles for a critical finding! Yep, ten million. Not a typo. In scope: • Web app • Mobile app • Wildcard for all domains Want to make history and claim 10 million? Dive into the details and start hunting here bugbounty.standoff365.com/en… ⬅️

New public program on Standoff Bug Bounty 😎 BCS Bank's bug bounty program is officially live and open to all hunters! bugbounty.standoff365.com/en… Payouts by severity: Critical: up to RUB 250,000 High: up to RUB 120,000 Medium: up to RUB 50,000 Low: up to RUB 10,000 Scope: bcs-bank.ru/ lkbank.bcs.ru/ *.bcs-bank.ru Android and iOS apps (latest versions from bcs.ru/) Perfect time to earn some extra cash for that beer advent calendar 😎

Security researcher interview 🖥️ We spoke with security researcher and bug hunter @m0m0x01d . He shared with us how he got started in bug bounty, who inspires him, and he offered some tips for beginner researchers.  1⃣ How did you get started with bug bounty? It all happened pretty naturally. I've always been curious about how things work and, over time, I began to also wonder why they fail. When I found out there were platforms that actually pay you to look for those failures, one of my hobbies turned into a job. 2⃣ How do you approach finding vulnerabilities, and what do you usually focus on? I usually start by figuring out the tech stack behind the app or website so I know what I'm dealing with and where weak spots are likely. I go after the simple, obvious issues first, the things that break with very little effort. After that, I slow down and spend more time on complex flows and edge cases.  3⃣ What types of bugs are the easiest for you to find right now? Mainly logic issues. You don't need advanced coding skills or certifications for those. You need a clear idea of how a feature is supposed to work and the habit of noticing when you can use it in a way the creators never planned.  Mainly logic issues. You don’t need advanced coding skills or certifications for those — just a clear understanding of how a feature is supposed to work, and the ability to notice when it can be used in a way the creators didn’t intend. 4⃣ What tools or techniques do you find most useful? I mostly use FFUF and a few small tools I built myself. Still, most of my findings come from manual testing. Tools just speed up the process — they’re helpful, but not essential. 5⃣ What channels, blogs, or resources do you follow to improve your skills? This field changes constantly. Every month brings new techniques and new CVEs, so keeping up with the latest updates is critical. OWASP is great for learning and skill growth, and vulnerability catalogs like dbugs.ptsecurity.com are very helpful for exploitation. 6⃣ Are there any researchers you particularly follow or draw inspiration from? There are many researchers I really respect, especially those who've mastered a specific domain. For example, OrwaGodFather is incredible at recon, Abdallah (HackerX007) excels at authorization issues, and shubs is brilliant with reverse engineering. But the person I admire most is Hussein98D. He's one of the most versatile hunters I've seen: he seems to adapt instantly to any new target, no matter the field. 7⃣ Which report has been the most memorable for you? The most meaningful one was my first accepted report. It was an HTTP parameter pollution issue in an old public program, and I couldn't believe I'd found something that had been there for so long. The payout was only $200, but it gave me a huge boost of confidence. That same week, I ended up reporting over $2,000 worth of issues. It showed me how one small win can push you to go much bigger. 8⃣ What advice would you give to beginners who are just getting started? Right now, there's a lot of inaccurate information online, especially from newer hunters making low-quality tutorials just for views. Many beginners end up building the wrong foundation because of it. If you really want to master the craft, focus on understanding how the things you're testing actually work. Learn how a website is built, try creating a simple one yourself. Get the basics down: what a vhost is, how DNS works, what a reverse proxy does, how a database talks to a server. All those small pieces add up, and once you understand the structure behind everything, finding real issues becomes much easier. Thanks to @m0m0x01d for the inspiring words! We're sure that after such detailed answers, there will be more bug hunters out there.