Anna Vyatkina
Analyst, Research Group of PT Cyber Analytics

Standoff Bug Bounty is a platform where white hat hackers get rewards for discovering vulnerabilities, which helps companies enhance their IT infrastructure security¹.

The platform allows companies to pay only for discovered and confirmed vulnerabilities and provides easy and confidential communications. It takes on all the operations, including reward transfers, and ensures compliance with the principles of responsible disclosure of information about vulnerabilities. Since it was launched in May 2022, the platform has drawn over 18,000 of independent researchers from Russia and CIS, China, Egypt, Ethiopia, India, Indonesia, Pakistan, and other countries. The platform history counts more than 8,000 reports.

White hackers can use the platform to search for vulnerabilities in popular services and get rewards for it, so it's a place to do what they love—safely and legally. Taking part in programs provided by the platform also allows independent researchers to show and improve their skills, compete with each other, and enhance digital security to make the world a safer place. The platform has paid white hackers more than $1.73 million² for more than 3,670 detected vulnerabilities.

This study shows the platform operation results as of November 30, 2024. Read on to learn more about reports submitted by white hackers, rewards paid, and vulnerabilities detected. We'll discuss the unique and extraordinary programs that you can find on the platform, and show how bug bounty platforms can increase cyber resilience for companies. 

• The platform hosts 84 programs to hunt for vulnerabilities in company systems in different industries.
• The number of registered platform users has reached 18,400.
• Researchers submitted 1,926 unique accepted reports, most of them in programs run by retail and e-commerce companies.
• The maximum payment was USD 43,309, which is 39% higher than the maximum payment in 2023. 
• The average payment for an accepted report in 2024 was almost $634, which is 13% higher than in the previous year. 
• The total payments to white hackers from online service providers were larger that the ones from other companies. Bug hunters keep getting stable and generous rewards for the programs run by financial services: every 10th accepted report got at least USD 2,079.
• The total share of detected vulnerabilities of high and critical severity reached 31%. This is more than double the HackerOne's percentage in 2024 (15%). 
• In 2024, the share of reports on critical security flaws went up to 12%, and the share of high-severity vulnerabilities remained at 19%.
• Government services keep the first place in the number of critical vulnerabilities, while most reports (30%) with high-severity vulnerabilities were submitted by bug hunters to software developers.
• Broken access control has been the most popular vulnerability class for the entire platform's lifetime. Almost half of the high- and critical-severity vulnerabilities belong to this class.
• In 2024, 16 bug hunters earned more than $11,000, and three of those hunters earned more than $76,558.

Compared to November 2023, the number of registered platform users increased from 7,537 to 18,400. The constantly growing number of programs available for research keeps white hackers interested. In 2024, users could search for bugs within the programs run by The Russian Ministry of Digital Development or companies like Rambler&Co, VK, Wildberries, T-Bank, and others. Researchers can now choose from 84 programs in various industries. Most of the programs are from online services, media and entertainment, retail, and e-commerce. Bug hunters say they are more keen on financial (21% of the respondents) and consumer sectors (stores, delivery, and marketplaces) (21%).

In addition to the large number of available programs, white hackers choose Standoff Bug Bounty for fair and quick verification of reports. According to the survey, 58% percent of bug hunters admit that the platform is the fastest and the most professional in vulnerability triage.

Active increase in the number of users and programs affects the performance of the entire platform, including the number of reports created by researchers. By November 2024, bug hunters submitted 1,926 accepted and unique reports to the platform. This number increased by 43 percentage points (p. p.) compared to the whole year 2023. In 2024, the most common reason for rejecting reports was duplication. A duplicate report appears if another researcher has already reported the vulnerability, or the company has already known about the bug.

Even though programs run by retail and e-commerce companies are just 12% of all programs, they accepted the largest number of reports—26% of all reports accepted in 2024, which is 4% more than in the previous year. This is because large marketplaces—Ozon and Wildberries—joined the platform at the end of 2023. The Ozon program is the leader in the number of accepted reports among the public programs offered on the platform in 2024. Wildberries is the report leader for the whole platform's lifetime: they accepted more than 600 vulnerability reports since the launch. Both programs are available for foreign white hackers. The total amount paid was more than $60,150 in the Ozon program and more than $62,340 in the Wildberries program. 

The number of vulnerabilities detected on the platform in the public sector also increased. Government agencies accepted 12% of all reports in 2024, which is almost double the previous year's performance. At the end of 2023, the Russian Ministry of Digital Development launched the second stage of their bugbounty program and expanded it to all e-government resources and systems. In 2024, the e-services of the Russia's regions were available to white hackers on the platform. For example, bug hunters from Russia could explore the Sverdlovsk region cloud platform and get up to $330 for detecting critical vulnerabilities.

Our data shows that over the last six years state the public sector has been the leader in successful cyberattacks. From 2022 to the middle of 2024, almost every third successful attack on the public sector involved vulnerability exploitation. To detect vulnerabilities that may have been missed during internal checks, it is extremely important to implement bugbounty programs.

The Standoff Bug Bounty team and companies' management develop optimal conditions and reward sizes for each program. The maximum payouts can vary significantly. They depend on the bugbounty program budget, its maturity, and the duration of the company's presence in the program. In 2024, the maximum payout was USD 43,309, which is 39% higher than in 2023. 

Today, the maximum rewards are provided in the special programs Innostage (up to USD 110,000) and Positive dream hunting (USD 660,000) for triggering a non-tolerable event⁴: a money theft or code injection. At the end of 2024, another special program was launched by Rambler&Co in the APT Bug Bounty format. Bug hunters who trigger a non-tolerable event in this program get $32,810.

The Innostage program accepted one report, and the bug hunter was paid USD 1,094 for an intermediate result in potential triggering of a non-tolerable event. Other non-tolerable event bounty programs haven't accepted any reports yet. They are waiting for researchers who can reach the goal and get the maximum reward.

The rest of the platform programs offer the classic vulnerability discovery format. The largest rewards are in the VK programs: VKontakte, Mail, Mail.ru Cloud and Calendar, and RuStore. Researchers can earn up to USD 40,000 for vulnerabilities that allow remote code execution.

The reward size may depend on the severity of the vulnerability, chances of it to be used by threat actors, environment, and other factors. The average payment in 2024 was almost $634, which is 13% higher than in the previous year. 

In 2024, online service developers paid white hackers more than companies in other industries—more than a third (37%) of the total payouts. The biggest average payout also came from this industry—more than USD 1,141 for a report; and every tenth reward in the industry was over USD 1,724. 

In 2024, bug hunters were getting stable and generous rewards for the programs run by financial services. Every 10th accepted report got at least USD 2,079. Half of all accepted reports brought more than $218 to their authors.

The most useful reports for companies are the ones about critical and high-severity vulnerabilities. Threat actors are most likely to exploit such vulnerabilities in real attacks on target systems, which means they have to be fixed first. As the platform evolves, hunters discover more of those vulnerabilities. In 2024, the total number of critical and high-severity vulnerabilities reached almost a third (31%) of all detected vulnerabilities, which is more than double the number for HackerOne (15%). The share of reports on critical security flaws went up to 12%, and the share of high-severity vulnerabilities remained at 19%. Most of the submitted reports cover low- and medium-severity vulnerabilities because those are easier and faster to discover, though the reward is also lower.

The highest percentage of reports on high-severity vulnerabilities was submitted to software developers—almost the third (30%) of all accepted reports. Public sector programs accepted the highest percentage of reports containing critical vulnerabilities: those were in almost every fifth report (19%). Government often uses outdated systems and infrastructures, which are harder to protect and upgrade (sometimes due to insufficient budgets). This is why it's easier for white hackers to find critical vulnerabilities in such organizations. HackerOne has noticed a similar trend: they are saying that government agencies fail to fix easy-to-find vulnerabilities.

In 2024, hackers found many security flaws in applications. The most popular ones were CWE-284, CWE-79, and CWE-200. According to HackerOne, these vulnerabilities are the top three by the number of white hackers' reports. The Standoff Bug Bounty statistics follows the global trends. Further in this study, we'll take a look at the breakdown of detected vulnerabilities by OWASP Top-10 2021 categories.

For the entire platform's lifetime, broken access control vulnerabilities have been the most common ones (42%). Almost half (49%) of critical and high-severity vulnerabilities belong to this category. Access control failures can lead to unauthorized access to data or applications and allow attackers to take actions that prevent a user from performing his or her set of permissions. This category also comes first in the list of the most common vulnerabilities in web applications (OWASP Top-10 2021). 

The second place belongs to vulnerabilities related to injection of code into user requests (22%). 19% of critical and high-severity vulnerabilities belonged to this category. Attackers use these vulnerabilities to inject malicious code into requests sent to the server and execute it, which allows them to steal confidential data, attack users, or even gain control of the server.

The third place goes to vulnerabilities caused by insecure design: almost every ten (9%) of the vulnerabilities detected by bug hunters. They take up 7% of critical and high-severity vulnerabilities. These are architectural and logical errors made during planning or development: lack of security mechanisms, authorization and authentication checks, and access control. These flaws are hard to fix because that would likely require system architecture revision.

The fourth place goes to identification and authentication flaws—they take up 7%. These security flaws may allow an attacker to bypass access control mechanisms, capture user accounts, and access sensitive data.

Some vulnerability categories—for example, A06: Vulnerable and Outdated Components—were not detected at all. This is due to bugbounty specifics: reports about use of outdated or potentially vulnerable software are considered informative. However, we can't underestimate the danger of this kind of flaws. Delaying vulnerability fixes can lead to serious issues for organizations.

The leading industries with broken access control vulnerabilities are retail and e-commerce (49%) and financial services (48%). In financial services, 67% of all detected critical and high-severity vulnerabilities were related to broken access control. These services often have complex access levels, which makes them more difficult to manage. In addition, financial and trading services usually use systems that are constantly updated. In such systems, insufficient access control may result in sensitive data leakage or financial losses.

The highest percentage (33%) of vulnerabilities related to code injection was detected in the public sector. Government agencies get fewer reports about more complex vulnerabilities, such as architectural or logical flaws, because white hackers hunt for simpler vulnerabilities before getting deeper into the infrastructure. As we mentioned before, a lot of vulnerabilities stay undetected due to lack of budget, use of legacy systems, and a large number of assets.

In the transportation sector, most accepted repots (24%) were related to vulnerabilities that lead to SSRF attacks. An attacker can exploit such vulnerabilities to force the server to make requests to internal or external resources on its behalf. That might allow the attacker to gain access to internal systems and bypass access restrictions. 

For most researchers (29% of respondents), bug hunting is a side job that they do in their free time. For 27% of researchers, bug hunting is the main job and a stable income source. 

The majority (29%) of respondents spend less than a fourth of their working hours in a month on bug hunting, while for 17% of respondents bug hunting takes up all of their working hours. The main motivation for white hackers is, of course, the financial reward: 33% say that this is the key benefit of bug hunting. However, some researchers (21%) state that the main takeaway is boosting their skills and experience. 

The majority of white hackers get information about bug hunting from Telegram channels (65% of respondents), special websites (56%), or Twitter (X) (21%). Almost half (48%) of researchers seek help from the community via conversations and forums.

Standoff Bug Bounty now offers disclosed vulnerability reports that bug hunters can use to improve their skills. Real examples are a powerful tool for both beginners and experts: beginners can learn the principles of security testing, and experts can find new approaches. In addition, disclosure of reports provides transparency and builds trust between researchers and the companies whose systems they investigate.

The largest rewards are shown in Figure 14. Since the platform launch, three white hackers have earned more than $120,300 each. In 2024, 16 bug hunters earned more than $11,000 each, and three of them over $76,558 each.

For 75% of respondents, invites to private events are an appealing reward for bug bounty. Standoff hosts private Standoff Hacks, where the top bug hunters can join programs with totally new apps and higher rewards.

One of such events was held in Moscow before the Positive Hack Days festival in May. White hackers earned more than $43,747 in total, and the most productive researcher made over $10,500. Besides competing in bug search, the participants had a chance to hit a race track.

For five years running, software, hardware, and web app vulnerability exploitation has ranked among the top three most popular attack methods on organizations. In Q3 2024, this method was used in a third of the successful attacks. According to IBM, in 2024, the average cost of a leakage where exploitation of an unfixed vulnerability served as the initial vector was 4.33 million dollars. This highlights the need for proactive IT infrastructure and web application protection. Timely detection and remediation of vulnerabilities allow companies to significantly reduce the odds of successful attacks and mitigate potential losses. This makes bug bounty programs a critical tool for cybersecurity.

Standoff Bug Bounty is a platform where companies and hackers collaborate to promptly detect and remediate vulnerabilities, reducing the risk of successful attacks and possible financial and reputation losses. This is especially important in the context of the growing number of attacks that exploit vulnerabilities in web apps and IT infrastructure.

To white hackers, the platform offers a unique opportunity not only to contribute to security, but also to get recognition and financial reward for their knowledge and effort. The wide range of industries and programs allows bug hunters to focus on the sectors for which their technical skills are best tailored. The active involvement of hackers makes the bug bounty programs effective and helps companies enhance the security of their systems in a timely manner.