<metaproperty="description"content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
<metaproperty="og:description"content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
<divid="dev_page_content"><p>Telegram welcomes developers and the security research community to audit its services, <ahref="https://telegram.org/apps#source-code">code</a> and <ahref="https://core.telegram.org/mtproto">protocol</a> seeking vulnerabilities or security-related issues.</p>
<p>Security researchers can <ahref="#submission">submit</a> any relevant issues they find at <ahref="mailto:security@telegram.org">security@telegram.org</a>. All reports submitted in accordance with the <ahref="#rules-and-principles">rules</a> and <ahref="#program-scope">scope</a> outlined below which result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue.</p>
<blockquote>
<p>Telegram's <strong>bug bounty program</strong> has been continuously active <ahref="https://telegram.org/blog/cryptocontest">since 2014</a>.</p>
</blockquote>
<h3><aclass="anchor"name="rules-and-principles"href="#rules-and-principles"><iclass="anchor-icon"></i></a>Rules and Principles</h3>
<p>Generally speaking, the purpose of Telegram's <strong>bug bounty program</strong> is to improve the safety of our platform thanks to cutting-edge technologies and modern penetration testing techniques. In accordance with this principle, we expect security professionals to employ common sense and to operate in good faith when researching issues – below is a <strong>non-exhaustive</strong> list of rules that always apply: </p>
<ul>
<li>Your testing <strong>cannot violate any law</strong>, <strong>disrupt</strong> Telegram's services or <strong>negatively affect</strong> other users in any way.</li>
<li>Vulnerabilities that are disclosed to the public or to third parties <strong>before they are addressed</strong> are not eligible for our bug bounty program. This includes vulnerability brokers. </li>
<li>Attempting to gain <strong>physical access</strong> to any of Telegram’s equipment is strictly prohibited.</li>
<li><p>Should you be eligible for a prize, you are <strong>responsible for any taxes</strong> and fees depending on your country of residency.</p>
</li>
<li><p>This bounty program is <strong>security-focused</strong> and therefore <strong>does not</strong> cover denial of service or load balancing issues resulting from spam, brute forcing, coordinated DDoS attacks, etc. Consequently, you are <strong>not allowed</strong> to perform any such action on our services.</p>
</li>
</ul>
<p>Researchers are welcome to use our dedicated <strong>test environment</strong> if they require it – instructions on how to access it can be found <ahref="#test-environment">here</a>.</p>
<blockquote>
<p>Telegram will not take legal action against anyone who responsibly researches and discloses vulnerabilities in accordance with our rules.</p>
<p>Reports should focus on the <strong>security-related</strong> severity and impact of the vulnerability. Below is a non-exhaustive list of issues that generally <strong>do not</strong> qualify for our program.</p>
<p><strong>1</strong>. Phishing attacks, spam<br><strong>2</strong>. Token or session hijacking as a result of external <strong>malware</strong> on the OS<br><strong>3</strong>. Irrelevant reports from scanners or automated tools<br><strong>4</strong>. Attacks requiring physical access to the user's device<br><strong>5</strong>. Missing cookie flags (HttpOnly, Secure, etc.)<br><strong>6</strong>. Attacks requiring root access to the user's device<br><strong>7</strong>. Clickjacking<br><strong>8</strong>. Non-reproducible vulnerabilities deriving from outdated or reportedly flawed versions of open-source software<br><strong>9</strong>. Vulnerabilities that rely on social engineering to either obtain sensitive credentials or have the user perform an unlikely sequence of actions<br><strong>10</strong>. Presence of banner or version information, SSL/TLS best practices, etc.</p>
<blockquote>
<p>An issue may only be submitted <strong>once</strong>. Duplicate issues submitted by either the same person or multiple people do not qualify – only the first report will be evaluated.</p>
<p>Generally, any <strong>Telegram-owned</strong> or <strong>operated</strong> app, web service, domain, server and protocol that either handles or stores <strong>private user data</strong> is in scope. </p>
<p>Any <strong>unrelated bug</strong> (e.g. usability, interface, etc.) that doesn't impact security in any way is out of scope and should instead be reported on our dedicated public <ahref="https://bugs.telegram.org/">bug tracking platform</a>.</p>
<p>Telegram relies on <strong>MTProto 2.0</strong>, a protocol specifically designed for <strong>speed and security</strong>. The full technical documentation is available <ahref="https://core.telegram.org/mtproto">here</a>. We welcome any reports about vulnerabilities or design flaws in the protocol which could realistically result in <strong>unauthorized access</strong> to user data.</p>
<p>Official Telegram apps are <strong>open source</strong> and support <ahref="https://core.telegram.org/reproducible-builds">reproducible builds</a>. <strong>Pre-built executables</strong> can be found <ahref="https://telegram.org/apps">here</a>, while the full <strong>source code</strong> for each app is available <ahref="https://telegram.org/apps#source-code">here</a>.</p>
<p>Below is a list of <strong>Telegram domains</strong> which can be considered in scope. Third-party domains that integrate Telegram pages or services are <strong>out of scope</strong>. Low-impact issues which don't pose a significant risk and don't fall under our <ahref="#non-qualifying-issues">non-qualifying issues</a> may be in scope but could be awarded a smaller prize.</p>
<ul>
<li>telegram.org, *.telegram.org</li>
<li>t.me, *.t.me</li>
<li>tg.dev, *.tg.dev</li>
<li>telegram.me, *.telegram.me</li>
<li>*.telesco.pe</li>
<li>*.stel.com</li>
<li>contest.com</li>
<li>quiz.directory</li>
<li>telegra.ph</li>
</ul>
<h4><aclass="anchor"name="third-party-applications-and-services"href="#third-party-applications-and-services"><iclass="anchor-icon"></i></a>Third-Party Applications and Services</h4>
<p>Apps developed by <strong>third parties</strong> using the open <ahref="https://core.telegram.org/schema">Telegram API</a>, as well as bots running under <ahref="https://core.telegram.org/bots/api">Telegram's Bot API</a>, can only be considered in scope if the report targets a <strong>vulnerability on our end</strong> (e.g. vulnerable endpoint which poses a security risk). </p>
<p>Issues caused by third-party developers'<strong>malpractice</strong>, <strong>negligence</strong> or <strong>incorrect implementation</strong> of our <ahref="https://core.telegram.org/mtproto/security_guidelines">Security Guidelines</a> are <strong>out of scope</strong> and should instead be promptly reported to the relevant developers.</p>
<p>If you found an issue which is <ahref="#program-scope">in scope</a>, is <ahref="#non-qualifying-issues">eligible</a> and was found in accordance to our <ahref="#rules-and-principles">rules</a>, you are welcome to submit it to <ahref="mailto:security@telegram.org">security@telegram.org</a>.</p>
<p>We expect all reports to be written in English and to <strong>follow a consistent template</strong>, spacing included:</p>
<p>We ask for all submissions and correspondence to be sent <strong>directly</strong> to <ahref="mailto:security@telegram.org">security@telegram.org</a>– Telegram currently does <strong>not</strong> maintain a presence on third-party bug bounty platforms or services.</p>
<p>Valid reports that result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue. We reserve the right to ultimately determine both the validity and the appropriate compensation for each report at our discretion.</p>
<p>In general, <strong>app-level changes</strong> can expect bounties ranging from <strong>$100</strong> to <strong>$10,000</strong>. <strong>Protocol-level issues</strong> may be eligible for rewards of up to <strong>$100,000</strong> or more.</p>
<p>To log in to the <strong>test environment</strong>, use either of the following:</p>
<p><strong>iOS</strong>: tap 10 times on the Settings icon > Accounts > Login to another account > Test.<br><strong>Telegram Desktop</strong>: open ☰ Settings > Shift + Alt + Right click ‘Add Account’ and select ‘Test Server’.<br><strong>macOS</strong>: click the Settings icon 10 times to open the Debug Menu, ⌘ + click ‘Add Account’ and log in via phone number.</p>
<p>The test environment is <strong>completely separate</strong> from the main environment, so you will need to create a new user account (or a new bot with <ahref="https://t.me/botfather">@BotFather</a>).</p>
<p>You can send requests to the test <ahref="https://core.telegram.org/bots/api">Bot API</a> in this format:</p>
