This contest is over, but the Telegram Bug Bounty Program is always open.
Security researchers are welcome to submit any issues they find in the Telegram apps or protocol to us at security@telegram.org. All submissions which result in a change of code or configuration are eligible for bounties, ranging from $100 to $100,000 or more, depending on the severity of the issue.
Earlier this year we had a contest to decipher intercepted Telegram messages, that did not produce a winner. Today we announce a new contest with an easier task and a larger prize — $300,000 for cracking Telegram's encryption, and this time contestants can not only monitor traffic, but also act as the Telegram server and use active attacks, which vastly increases their capabilities.
In this contest you assume the role of a malicious entity in full control of both the communication lines and the Telegram servers themselves.
UPD The current round of the contest is over. Go to results »
Your goal is to extract sensitive data (a secret email address) from a Secret Chat between two users — Nick and Paul. You control the entire process, from chat creation to the sending of each individual message and can perform various active attacks, including MITM, KPA, CPA, replay attacks, etc.
In order to facilitate the task, we have created an interface, using which you can act as the server and determine which side gets what data. For more details, please check out the Cracking Contest Description.
In order to confirm that Telegram crypto was indeed cracked and claim your $300,000, you'll need to send an email to the secret email address that you've extracted from one of the messages exchanged by Paul and Nick.
Your email must contain:
- The entire text of the message that contained the secret email.
- Session logs for the successful attempt with your user_id.
- A detailed explanation of the attack on the protocol.
- Your bank account details to receive the $300,000 prize.
There is also a bonus objective with an independent prize of $100,000.
See full description for details »
To prove that the competition was fair, we will add a command that returns the keys used for encryption as soon as a winner is announced. In case there is no winner by February 4, 2015, decryption commands will be added at that date.
November 4, 2014
The Telegram Team