This contest is over, but Telegram's bug bounty program is always open. Security researchers are welcome to submit any issues they find in the Telegram apps or protocol to us at security@telegram.org. All submissions which result in a change of code or configuration are eligible for bounties, ranging from $500 to $100,000 or more, depending on the severity of the issue.

The current round of our contest to crack Telegram’s encryption ends with no winners. Despite the $300,000 bounty and the fact that contestants could act as the Telegram server passing info between the users (i.e. use any kinds of active attacks, manipulate traffic etc.) no one could decipher their Secret Chats by the beginning of February.

To demonstrate that the contest was fair, we‘ve added a decryption method to the contest bot’s list of commands – KEY. KEY returns the 256-byte encryption key used in the secret chat, so the task of the contest is now easily achieved.

Why are contests important?

One of the reasons we trust Telegram’s Secret Chats more than many of their alternatives, is that they're open to scrutiny from the world’s security experts. And while having open source apps and a well documented API makes this kind of scrutiny possible, it is our contests that create incentive for it.

That’s why we will definitely launch the next round of our contest later this year. It’ll take us some time to determine whether we can further simplify the task for the contestants. Once ready, we’ll announce the new round on Twitter.

Thank you for the vast amount of advice and comments you sent us during these last few months - your input allows us to improve Telegram with each new build.





February 11, 2015

The Telegram Team