telegram-crawler/data/web/core.telegram.org/bug-bounty.html

199 lines
15 KiB
HTML
Raw Normal View History

2022-10-29 23:19:41 +02:00
<!DOCTYPE html>
<html class="">
<head>
<meta charset="utf-8">
<title>Telegram Bug Bounty Program</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta property="description" content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
<meta property="og:title" content="Telegram Bug Bounty Program">
<meta property="og:image" content="">
<meta property="og:description" content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
<link rel="icon" type="image/svg+xml" href="/img/website_icon.svg?4">
<link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png">
<link rel="alternate icon" href="/img/favicon.ico" type="image/x-icon" />
<link href="/css/bootstrap.min.css?3" rel="stylesheet">
2022-11-21 13:10:26 +01:00
<link href="/css/telegram.css?233" rel="stylesheet" media="screen">
2022-10-29 23:19:41 +02:00
<style>
</style>
</head>
<body class="preload">
<div class="dev_page_wrap">
<div class="dev_page_head navbar navbar-static-top navbar-tg">
<div class="navbar-inner">
<div class="container clearfix">
<ul class="nav navbar-nav navbar-right hidden-xs"><li class="navbar-twitter"><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)"><i class="icon icon-twitter"></i><span> Twitter</span></a></li></ul>
<ul class="nav navbar-nav">
<li><a href="//telegram.org/">Home</a></li>
<li class="hidden-xs"><a href="//telegram.org/faq">FAQ</a></li>
<li class="hidden-xs"><a href="//telegram.org/apps">Apps</a></li>
<li class=""><a href="/api">API</a></li>
<li class=""><a href="/mtproto">Protocol</a></li>
<li class=""><a href="/schema">Schema</a></li>
</ul>
</div>
</div>
</div>
<div class="container clearfix">
<div class="dev_page">
<div id="dev_page_content_wrap" class=" ">
<div class="dev_page_bread_crumbs"></div>
<h1 id="dev_page_title">Telegram Bug Bounty Program</h1>
<div id="dev_page_content"><p>Telegram welcomes developers and the security research community to audit its services, <a href="https://telegram.org/apps#source-code">code</a> and <a href="https://core.telegram.org/mtproto">protocol</a> seeking vulnerabilities or security-related issues.</p>
<p>Security researchers can <a href="#submission">submit</a> any relevant issues they find at <a href="mailto:security@telegram.org">security@telegram.org</a>. All reports submitted in accordance with the <a href="#rules-and-principles">rules</a> and <a href="#program-scope">scope</a> outlined below which result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue.</p>
<blockquote>
<p>Telegram&#39;s <strong>bug bounty program</strong> has been continuously active <a href="https://telegram.org/blog/cryptocontest">since 2014</a>.</p>
</blockquote>
<h3><a class="anchor" name="rules-and-principles" href="#rules-and-principles"><i class="anchor-icon"></i></a>Rules and Principles</h3>
<p>Generally speaking, the purpose of Telegram&#39;s <strong>bug bounty program</strong> is to improve the safety of our platform thanks to cutting-edge technologies and modern penetration testing techniques. In accordance with this principle, we expect security professionals to employ common sense and to operate in good faith when researching issues below is a <strong>non-exhaustive</strong> list of rules that always apply: </p>
<ul>
<li>Your testing <strong>cannot violate any law</strong>, <strong>disrupt</strong> Telegram&#39;s services or <strong>negatively affect</strong> other users in any way.</li>
<li>Vulnerabilities that are disclosed to the public or to third parties <strong>before they are addressed</strong> are not eligible for our bug bounty program. This includes vulnerability brokers. </li>
<li>Attempting to gain <strong>physical access</strong> to any of Telegrams equipment is strictly prohibited.</li>
<li><p>Should you be eligible for a prize, you are <strong>responsible for any taxes</strong> and fees depending on your country of residency.</p>
</li>
<li><p>This bounty program is <strong>security-focused</strong> and therefore <strong>does not</strong> cover denial of service or load balancing issues resulting from spam, brute forcing, coordinated DDoS attacks, etc. Consequently, you are <strong>not allowed</strong> to perform any such action on our services.</p>
</li>
</ul>
<p>Researchers are welcome to use our dedicated <strong>test environment</strong> if they require it instructions on how to access it can be found <a href="#test-environment">here</a>.</p>
<blockquote>
<p>Telegram will not take legal action against anyone who responsibly researches and discloses vulnerabilities in accordance with our rules.</p>
</blockquote>
<h3><a class="anchor" name="non-qualifying-issues" href="#non-qualifying-issues"><i class="anchor-icon"></i></a>Non-qualifying issues</h3>
<p>Reports should focus on the <strong>security-related</strong> severity and impact of the vulnerability. Below is a non-exhaustive list of issues that generally <strong>do not</strong> qualify for our program.</p>
<p><strong>1</strong>. Phishing attacks, spam<br><strong>2</strong>. Token or session hijacking as a result of external <strong>malware</strong> on the OS<br><strong>3</strong>. Irrelevant reports from scanners or automated tools<br><strong>4</strong>. Attacks requiring physical access to the user&#39;s device<br><strong>5</strong>. Missing cookie flags (HttpOnly, Secure, etc.)<br><strong>6</strong>. Attacks requiring root access to the user&#39;s device<br><strong>7</strong>. Clickjacking<br><strong>8</strong>. Non-reproducible vulnerabilities deriving from outdated or reportedly flawed versions of open-source software<br><strong>9</strong>. Vulnerabilities that rely on social engineering to either obtain sensitive credentials or have the user perform an unlikely sequence of actions<br><strong>10</strong>. Presence of banner or version information, SSL/TLS best practices, etc.</p>
<blockquote>
<p>An issue may only be submitted <strong>once</strong>. Duplicate issues submitted by either the same person or multiple people do not qualify only the first report will be evaluated.</p>
</blockquote>
<h3><a class="anchor" name="program-scope" href="#program-scope"><i class="anchor-icon"></i></a>Program Scope</h3>
<p>Generally, any <strong>Telegram-owned</strong> or <strong>operated</strong> app, web service, domain, server and protocol that either handles or stores <strong>private user data</strong> is in scope. </p>
<p>Any <strong>unrelated bug</strong> (e.g. usability, interface, etc.) that doesn&#39;t impact security in any way is out of scope and should instead be reported on our dedicated public <a href="https://bugs.telegram.org/">bug tracking platform</a>.</p>
<h4><a class="anchor" name="protocol" href="#protocol"><i class="anchor-icon"></i></a>Protocol</h4>
<p>Telegram relies on <strong>MTProto 2.0</strong>, a protocol specifically designed for <strong>speed and security</strong>. The full technical documentation is available <a href="https://core.telegram.org/mtproto">here</a>. We welcome any reports about vulnerabilities or design flaws in the protocol which could realistically result in <strong>unauthorized access</strong> to user data.</p>
<h4><a class="anchor" name="applications" href="#applications"><i class="anchor-icon"></i></a>Applications</h4>
<p>Official Telegram apps are <strong>open source</strong> and support <a href="https://core.telegram.org/reproducible-builds">reproducible builds</a>. <strong>Pre-built executables</strong> can be found <a href="https://telegram.org/apps">here</a>, while the full <strong>source code</strong> for each app is available <a href="https://telegram.org/apps#source-code">here</a>.</p>
<h4><a class="anchor" name="domains" href="#domains"><i class="anchor-icon"></i></a>Domains</h4>
<p>Below is a list of <strong>Telegram domains</strong> which can be considered in scope. Third-party domains that integrate Telegram pages or services are <strong>out of scope</strong>. Low-impact issues which don&#39;t pose a significant risk and don&#39;t fall under our <a href="#non-qualifying-issues">non-qualifying issues</a> may be in scope but could be awarded a smaller prize.</p>
<ul>
<li>telegram.org, *.telegram.org</li>
<li>t.me, *.t.me</li>
<li>tg.dev, *.tg.dev</li>
<li>telegram.me, *.telegram.me</li>
<li>*.telesco.pe</li>
<li>*.stel.com</li>
<li>contest.com</li>
<li>quiz.directory</li>
<li>telegra.ph</li>
</ul>
<h4><a class="anchor" name="third-party-applications-and-services" href="#third-party-applications-and-services"><i class="anchor-icon"></i></a>Third-Party Applications and Services</h4>
<p>Apps developed by <strong>third parties</strong> using the open <a href="https://core.telegram.org/schema">Telegram API</a>, as well as bots running under <a href="https://core.telegram.org/bots/api">Telegram&#39;s Bot API</a>, can only be considered in scope if the report targets a <strong>vulnerability on our end</strong> (e.g. vulnerable endpoint which poses a security risk). </p>
<p>Issues caused by third-party developers&#39; <strong>malpractice</strong>, <strong>negligence</strong> or <strong>incorrect implementation</strong> of our <a href="https://core.telegram.org/mtproto/security_guidelines">Security Guidelines</a> are <strong>out of scope</strong> and should instead be promptly reported to the relevant developers.</p>
<h3><a class="anchor" name="submission" href="#submission"><i class="anchor-icon"></i></a>Submission</h3>
<p>If you found an issue which is <a href="#program-scope">in scope</a>, is <a href="#non-qualifying-issues">eligible</a> and was found in accordance to our <a href="#rules-and-principles">rules</a>, you are welcome to submit it to <a href="mailto:security@telegram.org">security@telegram.org</a>.</p>
<p>We expect all reports to be written in English and to <strong>follow a consistent template</strong>, spacing included:</p>
<pre><code># Attack surface: (e.g. my.telegram.org/auth)
# Severity: (e.g. 7) [Optional, CVSS v3 rating]
## Description:
[Describe the vulnerability briefly here, including its type]
## Steps to reproduce:
[1] Step one...
[2] Step two...
[n] Finally...
## Impact:
[What practical, realistic risk does this vulnerability pose?]
## Additional details:
[Tools used, preconditions, media proof, session and timestamps as needed]</code></pre>
<h3><a class="anchor" name="prize" href="#prize"><i class="anchor-icon"></i></a>Prize</h3>
<p>Valid reports that result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue. We reserve the right to ultimately determine both the validity and the appropriate compensation for each report at our discretion.</p>
<hr>
<h4><a class="anchor" name="test-environment" href="#test-environment"><i class="anchor-icon"></i></a>Test Environment</h4>
<p>To log in to the <strong>test environment</strong>, use either of the following:</p>
<p><strong>iOS</strong>: tap 10 times on the Settings icon &gt; Accounts &gt; Login to another account &gt; Test.<br><strong>Telegram Desktop</strong>: open ☰ Settings &gt; Shift + Alt + Right click Add Account and select Test Server.<br><strong>macOS</strong>: click the Settings icon 10 times to open the Debug Menu, ⌘ + click Add Account and log in via phone number.</p>
<p>The test environment is <strong>completely separate</strong> from the main environment, so you will need to create a new user account (or a new bot with <a href="https://t.me/botfather">@BotFather</a>).</p>
<p>You can send requests to the test <a href="https://core.telegram.org/bots/api">Bot API</a> in this format:</p>
<p><code>https://api.telegram.org/bot&lt;token&gt;/test/METHOD_NAME</code></p>
<blockquote>
<p>When working within the test environment, you may use HTTP links without TLS to test Web Apps.</p>
</blockquote>
</div>
</div>
</div>
</div>
<div class="footer_wrap">
<div class="footer_columns_wrap footer_desktop">
<div class="footer_column footer_column_telegram">
<h5>Telegram</h5>
<div class="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
</div>
<div class="footer_column">
<h5><a href="//telegram.org/faq">About</a></h5>
<ul>
<li><a href="//telegram.org/faq">FAQ</a></li>
<li><a href="//telegram.org/privacy">Privacy</a></li>
<li><a href="//telegram.org/press">Press</a></li>
</ul>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps#mobile-apps">Mobile Apps</a></h5>
<ul>
<li><a href="//telegram.org/dl/ios">iPhone/iPad</a></li>
<li><a href="//telegram.org/android">Android</a></li>
<li><a href="//telegram.org/dl/web">Mobile Web</a></li>
</ul>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps#desktop-apps">Desktop Apps</a></h5>
<ul>
<li><a href="//desktop.telegram.org/">PC/Mac/Linux</a></li>
<li><a href="//macos.telegram.org/">macOS</a></li>
<li><a href="//telegram.org/dl/web">Web-browser</a></li>
</ul>
</div>
<div class="footer_column footer_column_platform">
<h5><a href="/">Platform</a></h5>
<ul>
<li><a href="/api">API</a></li>
<li><a href="//translations.telegram.org/">Translations</a></li>
<li><a href="//instantview.telegram.org/">Instant View</a></li>
</ul>
</div>
</div>
<div class="footer_columns_wrap footer_mobile">
<div class="footer_column">
<h5><a href="//telegram.org/faq">About</a></h5>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/blog">Blog</a></h5>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps">Apps</a></h5>
</div>
<div class="footer_column">
<h5><a href="/">Platform</a></h5>
</div>
<div class="footer_column">
<h5><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)">Twitter</a></h5>
</div>
</div>
</div>
</div>
<script src="/js/main.js?46"></script>
<script>backToTopInit("Go up");
removePreloadInit();
</script>
</body>
</html>