In 2025, the number of bug bounty programs on the platform more than doubled, and average researcher payouts grew by 12%
Positive Technologies, a leader in results-driven cybersecurity, announced the 2025 performance of its Standoff Bug Bounty platform. The community of security researchers, available programs, and validated vulnerabilities grew sharply year over year, with 32% of accepted findings classified as high or critical. Offline businesses1 turned out to be the most exposed sector, with 37% of accepted reports uncovering high- or critical-severity vulnerabilities.
Researcher community grew to 32,000 registered bug hunters, up 74% in 2025. According to the report, most security researchers have been active on bug bounty programs for one to three years, with 20% bringing longer-term experience. Motivation goes beyond payouts. Although monetary rewards lead at 92%, 76% of respondents cite skill development and practical experience, and 54% point to building a professional reputation and gaining community recognition as key reasons to participate.
1 In this report, "offline businesses" are companies where information technology plays only a supporting role. This category includes organizations in retail, healthcare, manufacturing, and logistics.
"Our bug hunter community is growing quickly and brings a wide range of experience levels and availability. That diversity is a core strength of the crowdsourced cyberdefense model for businesses. Our research indicates that two thirds of companies adopt bug bounty programs to strengthen security proactively as part of a structured defense strategy. For example, Standoff Bug Bounty ran 233 programs in 2025, which is 2.2 times more than in 2024. The trend underscores that bug bounty is an investment in resilience, reliability, and maturity of cybersecurity processes. The results speak for themselves: organizations are uncovering critical vulnerabilities, gaining clearer visibility into their attack surface, and improving collaboration between development and security teams, which ultimately lowers risk."
Aziz AlimovHead of Standoff Bug Bounty
In 2025, researchers submitted 7,870 reports on Standoff Bug Bounty, up 61% from the previous year. Of all reports, 2,909 were unique and accepted for payout, up 34% versus 2024. High- and critical-severity vulnerabilities made up 32% of findings, rising by one percentage point from last year. Access control weaknesses remained the most common issue class across the platform's history: in 2025, they accounted for 58% of all high- and critical-severity vulnerabilities.
As the number of reports increased, payouts rose as well. In 2025, Standoff Bug Bounty paid researchers more than 160 million rubles in total, an increase of 49% compared with 2024. The top individual bounty reached 4,970,800 rubles, up 26% year over year. The average payout per accepted report exceeded 65,000 rubles, reflecting 12% growth. Overall, 43 security researchers earned more than 1 million rubles, and six surpassed 5 million rubles.
The report shows strong adoption of bug bounty programs among companies running large-scale digital platforms with complex business logic and a large user base. In 2025, content platforms2 accounted for 19% of all programs on Standoff Bug Bounty, and enterprise and SaaS platforms3 accounted for 18%.
In 2025, bug hunters gravitated toward financial services, content platforms, and retail and e-commerce infrastructures, which together accounted for 49% of accepted reports. Content platforms accounted for the largest share of total payouts (24%). Enterprise and SaaS programs delivered the highest rewards, with the average payout per accepted report exceeding 115,000 rubles.
2 Content platforms include social networks, media and entertainment services, advertising platforms, and educational platforms.
3 Enterprise and SaaS platforms include corporate portals, collaboration tools, video conferencing platforms, and business cloud solutions.