SberTech, a Russian software developer under the Sber ecosystem, has expanded its public bug bounty program on the BI.ZONE platform, now covering client-facing services under sbertech.ru. The program, which previously focused on GitVerse (a code collaboration platform with AI features), now offers rewards of up to 200,000 RUB per vulnerability, scaled by severity1. This move aligns with broader trends in the Russian cybersecurity market, where bug bounty programs have grown by 300% in fintech and 600% in government sectors since 20243.
Program Scope and Rewards
The expanded program targets vulnerabilities in public-facing web services, APIs, and middleware components. Critical flaws, such as remote code execution (RCE) or authentication bypasses, qualify for the maximum reward of 200,000 RUB, while lower-severity issues like cross-site scripting (XSS) receive smaller payouts. BI.ZONE, the hosting platform, has processed over 60 million RUB in rewards since 2024, with SberBank’s earlier programs paying up to 500,000 RUB for critical banking vulnerabilities2.
Strategic Context
Maxim Tyatyushev, CEO of SberTech, stated:
“Bug Bounty demonstrates our commitment to independent security assessments.”
Andrey Lyovkin of BI.ZONE added that commercial software firms are increasingly adopting such programs, signaling market maturity1. The Sber ecosystem—including SberBank, SberFactoring, and now SberTech—has emerged as a dominant user of BI.ZONE’s platform, reflecting a top-down security strategy3.
Relevance to Security Professionals
For red teams and penetration testers, the expanded scope provides new opportunities to identify vulnerabilities in SberTech’s services. System administrators and CISOs should note the program’s focus on public endpoints, which often serve as entry points for attacks. BI.ZONE’s payout metrics—1 in 6 reports are rated high/critical—highlight the platform’s rigor3.
Remediation and Participation
Organizations can learn from SberTech’s approach by:
- Prioritizing independent vulnerability assessments for client-facing services.
- Aligning reward structures with CVSS scores to incentivize researchers.
- Monitoring BI.ZONE’s public reports for emerging attack vectors.
The expansion underscores the growing role of bug bounty programs in enterprise security, particularly in high-risk sectors like fintech. With BI.ZONE’s platform now hosting 78 programs across 34 companies, it serves as a benchmark for regional cybersecurity practices3.
References
- “SberTech Official Announcement,” SberTech, Apr. 2025.
- “SberBank’s Bug Bounty Programs,” Connect-WIT, Aug. 2024.
- “BI.ZONE Platform Trends,” TelecomDaily, Aug. 2024.
