<p><strong>UPD:</strong> See <ahref="https://core.telegram.org/bug-bounty">this page</a> for the latest details about the <ahref="https://core.telegram.org/bug-bounty">Telegram Bug Bounty Program</a>.</p>
<p>A few days ago we launched a <ahref="http://telegram.org/crypto_contest"><strong>contest</strong></a> to improve Telegram's security and are delighted to already have the first results. A <ahref="http://habrahabr.ru">Russian IT-community</a> user identified a potentially vulnerable spot in our secret chat implementation. While this would not help him decipher the traffic and win <ahref="http://telegram.org/crypto_contest">the contest</a>, his achievement deserves a notice — and a big prize.</p>
<blockquote>
<p>The habrahabr user <ahref="http://habrahabr.ru/users/x7mz/">x7mz</a> had discovered that in case the Telegram server could be seized by a malicious third party, it could send different nonce numbers to each of the clients participating in a secret chat.</p>
<p>These nonce numbers were introduced to add more randomness to the secret chat keys, mostly because of possible undiscovered vulnerabilities of the random generators on mobile devices (for example, one such vulnerability was found this August in <ahref="http://android-developers.blogspot.ru/2013/08/some-securerandom-thoughts.html">android phones</a>).</p>
<p>As was pointed out, this solution would have also made it possible for the visual representations of the shared secret key to be identical in case of a man-in-the-middle attack — provided such attack was done by the seized server. Obviously, the server has been under Telegram's control all this time, so this theoretical threat never had a chance to come to life.</p>
</blockquote>
<p>The developer who found the potential weakness has earned a reward of <strong>$100,000</strong>. We have contacted him to find out how he would like to collect his prize.</p>
<p>A similar reward awaits anyone who finds viable ways of compromising <ahref="https://core.telegram.org/mtproto">MTProto’s</a> security (and there is an outstanding reward of $200,000 for <ahref="http://telegram.org/crypto_contest">deciphering Telegram traffic</a>). All submissions to <strong>security@telegram.org</strong> which result in a change of code or configuration are eligible for bounties, ranging from <strong>$500</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue.</p>
<p>This story showcases the importance of keeping the <ahref="https://core.telegram.org/mtproto">protocol specification</a> and <ahref="http://telegram.org/source">source code</a> open — this way thousands of bright minds from all over the world can help us find potential vulnerabilities and improve the protocol.</p>
<p>Let’s keep on looking for any weak spots. Together we can make Telegram unbreakable.</p>
<ahref="https://t.me/share/url?url=https%3A%2F%2Ftelegram.org%2Fblog%2Fcrowdsourcing-a-more-secure-future&text=A%20guy%20from%20Russia%20just%20earned%20%24100%2C000.%20Crowdsourcing%20a%20More%20Secure%20Future"class="tl_telegram_share_btn"id="tl_telegram_share_btn"data-text="A guy from Russia just earned $100,000. Crowdsourcing a More Secure Future"data-url="https://telegram.org/blog/crowdsourcing-a-more-secure-future"><iclass="tl_telegram_share_icon"></i><spanclass="tl_telegram_share_label"target="_blank">Forward</span></a>
<ahref="https://twitter.com/share"class="tl_twitter_share_btn"id="tl_twitter_share_btn"data-text="A guy from Russia just earned $100,000. Crowdsourcing a More Secure Future"data-url="https://telegram.org/blog/crowdsourcing-a-more-secure-future"data-via="Telegram">Tweet <spanclass="tl_twitter_share_cnt"></span></a>
<divclass="dev_blog_card_lead">With this update, you can have a Telegram account without a SIM card and set up a global timer to automatically delete messages in all…</div>
<h4class="dev_blog_card_title">Infinite Reactions, Emoji Statuses and Much More</h4>
<divclass="dev_blog_card_lead">Telegram's previous update revolutionized emoji, adding an open platform for creating custom animated emoji. This update gives you even…</div>
