mirror of
https://github.com/MarshalX/telegram-crawler.git
synced 2024-12-12 18:01:02 +01:00
203 lines
15 KiB
HTML
203 lines
15 KiB
HTML
<!DOCTYPE html>
|
||
<html class="">
|
||
<head>
|
||
<meta charset="utf-8">
|
||
<title>Telegram Bug Bounty Program</title>
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
<meta property="description" content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
|
||
<meta property="og:title" content="Telegram Bug Bounty Program">
|
||
<meta property="og:image" content="">
|
||
<meta property="og:description" content="Telegram welcomes developers and the security research community to audit its services, code and protocol seeking vulnerabilities or security-related issues.">
|
||
<link rel="icon" type="image/svg+xml" href="/img/website_icon.svg?4">
|
||
<link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png">
|
||
<link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png">
|
||
<link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png">
|
||
<link rel="alternate icon" href="/img/favicon.ico" type="image/x-icon" />
|
||
<link href="/css/bootstrap.min.css?3" rel="stylesheet">
|
||
|
||
<link href="/css/telegram.css?236" rel="stylesheet" media="screen">
|
||
<style>
|
||
</style>
|
||
</head>
|
||
<body class="preload">
|
||
<div class="dev_page_wrap">
|
||
<div class="dev_page_head navbar navbar-static-top navbar-tg">
|
||
<div class="navbar-inner">
|
||
<div class="container clearfix">
|
||
<ul class="nav navbar-nav navbar-right hidden-xs"><li class="navbar-twitter"><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)"><i class="icon icon-twitter"></i><span> Twitter</span></a></li></ul>
|
||
<ul class="nav navbar-nav">
|
||
<li><a href="//telegram.org/">Home</a></li>
|
||
<li class="hidden-xs"><a href="//telegram.org/faq">FAQ</a></li>
|
||
<li class="hidden-xs"><a href="//telegram.org/apps">Apps</a></li>
|
||
<li class=""><a href="/api">API</a></li>
|
||
<li class=""><a href="/mtproto">Protocol</a></li>
|
||
<li class=""><a href="/schema">Schema</a></li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div class="container clearfix">
|
||
<div class="dev_page">
|
||
<div id="dev_page_content_wrap" class=" ">
|
||
<div class="dev_page_bread_crumbs"></div>
|
||
<h1 id="dev_page_title">Telegram Bug Bounty Program</h1>
|
||
|
||
<div id="dev_page_content"><p>Telegram welcomes developers and the security research community to audit its services, <a href="https://telegram.org/apps#source-code">code</a> and <a href="https://core.telegram.org/mtproto">protocol</a> seeking vulnerabilities or security-related issues.</p>
|
||
<p>Security researchers can <a href="#submission">submit</a> any relevant issues they find at <a href="mailto:security@telegram.org">security@telegram.org</a>. All reports submitted in accordance with the <a href="#rules-and-principles">rules</a> and <a href="#program-scope">scope</a> outlined below which result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue.</p>
|
||
<blockquote>
|
||
<p>Telegram's <strong>bug bounty program</strong> has been continuously active <a href="https://telegram.org/blog/cryptocontest">since 2014</a>.</p>
|
||
</blockquote>
|
||
<h3><a class="anchor" name="rules-and-principles" href="#rules-and-principles"><i class="anchor-icon"></i></a>Rules and Principles</h3>
|
||
<p>Generally speaking, the purpose of Telegram's <strong>bug bounty program</strong> is to improve the safety of our platform thanks to cutting-edge technologies and modern penetration testing techniques. In accordance with this principle, we expect security professionals to employ common sense and to operate in good faith when researching issues – below is a <strong>non-exhaustive</strong> list of rules that always apply: </p>
|
||
<ul>
|
||
<li>Your testing <strong>cannot violate any law</strong>, <strong>disrupt</strong> Telegram's services or <strong>negatively affect</strong> other users in any way.</li>
|
||
<li>Vulnerabilities that are disclosed to the public or to third parties <strong>before they are addressed</strong> are not eligible for our bug bounty program. This includes vulnerability brokers. </li>
|
||
<li>Attempting to gain <strong>physical access</strong> to any of Telegram’s equipment is strictly prohibited.</li>
|
||
<li><p>Should you be eligible for a prize, you are <strong>responsible for any taxes</strong> and fees depending on your country of residency.</p>
|
||
</li>
|
||
<li><p>This bounty program is <strong>security-focused</strong> and therefore <strong>does not</strong> cover denial of service or load balancing issues resulting from spam, brute forcing, coordinated DDoS attacks, etc. Consequently, you are <strong>not allowed</strong> to perform any such action on our services.</p>
|
||
</li>
|
||
</ul>
|
||
<p>Researchers are welcome to use our dedicated <strong>test environment</strong> if they require it – instructions on how to access it can be found <a href="#test-environment">here</a>.</p>
|
||
<blockquote>
|
||
<p>Telegram will not take legal action against anyone who responsibly researches and discloses vulnerabilities in accordance with our rules.</p>
|
||
</blockquote>
|
||
<h3><a class="anchor" name="non-qualifying-issues" href="#non-qualifying-issues"><i class="anchor-icon"></i></a>Non-qualifying issues</h3>
|
||
<p>Reports should focus on the <strong>security-related</strong> severity and impact of the vulnerability. Below is a non-exhaustive list of issues that generally <strong>do not</strong> qualify for our program.</p>
|
||
<p><strong>1</strong>. Phishing attacks, spam<br><strong>2</strong>. Token or session hijacking as a result of external <strong>malware</strong> on the OS<br><strong>3</strong>. Irrelevant reports from scanners or automated tools<br><strong>4</strong>. Attacks requiring physical access to the user's device<br><strong>5</strong>. Missing cookie flags (HttpOnly, Secure, etc.)<br><strong>6</strong>. Attacks requiring root access to the user's device<br><strong>7</strong>. Clickjacking<br><strong>8</strong>. Non-reproducible vulnerabilities deriving from outdated or reportedly flawed versions of open-source software<br><strong>9</strong>. Vulnerabilities that rely on social engineering to either obtain sensitive credentials or have the user perform an unlikely sequence of actions<br><strong>10</strong>. Presence of banner or version information, SSL/TLS best practices, etc.</p>
|
||
<blockquote>
|
||
<p>An issue may only be submitted <strong>once</strong>. Duplicate issues submitted by either the same person or multiple people do not qualify – only the first report will be evaluated.</p>
|
||
</blockquote>
|
||
<h3><a class="anchor" name="program-scope" href="#program-scope"><i class="anchor-icon"></i></a>Program Scope</h3>
|
||
<p>Generally, any <strong>Telegram-owned</strong> or <strong>operated</strong> app, web service, domain, server and protocol that either handles or stores <strong>private user data</strong> is in scope. </p>
|
||
<p>Any <strong>unrelated bug</strong> (e.g. usability, interface, etc.) that doesn't impact security in any way is out of scope and should instead be reported on our dedicated public <a href="https://bugs.telegram.org/">bug tracking platform</a>.</p>
|
||
<h4><a class="anchor" name="protocol" href="#protocol"><i class="anchor-icon"></i></a>Protocol</h4>
|
||
<p>Telegram relies on <strong>MTProto 2.0</strong>, a protocol specifically designed for <strong>speed and security</strong>. The full technical documentation is available <a href="https://core.telegram.org/mtproto">here</a>. We welcome any reports about vulnerabilities or design flaws in the protocol which could realistically result in <strong>unauthorized access</strong> to user data.</p>
|
||
<h4><a class="anchor" name="applications" href="#applications"><i class="anchor-icon"></i></a>Applications</h4>
|
||
<p>Official Telegram apps are <strong>open source</strong> and support <a href="https://core.telegram.org/reproducible-builds">reproducible builds</a>. <strong>Pre-built executables</strong> can be found <a href="https://telegram.org/apps">here</a>, while the full <strong>source code</strong> for each app is available <a href="https://telegram.org/apps#source-code">here</a>.</p>
|
||
<h4><a class="anchor" name="domains" href="#domains"><i class="anchor-icon"></i></a>Domains</h4>
|
||
<p>Below is a list of <strong>Telegram domains</strong> which can be considered in scope. Third-party domains that integrate Telegram pages or services are <strong>out of scope</strong>. Low-impact issues which don't pose a significant risk and don't fall under our <a href="#non-qualifying-issues">non-qualifying issues</a> may be in scope but could be awarded a smaller prize.</p>
|
||
<ul>
|
||
<li>telegram.org, *.telegram.org</li>
|
||
<li>t.me, *.t.me</li>
|
||
<li>tg.dev, *.tg.dev</li>
|
||
<li>telegram.me, *.telegram.me</li>
|
||
<li>*.telesco.pe</li>
|
||
<li>*.stel.com</li>
|
||
<li>contest.com</li>
|
||
<li>quiz.directory</li>
|
||
<li>telegra.ph</li>
|
||
</ul>
|
||
<h4><a class="anchor" name="third-party-applications-and-services" href="#third-party-applications-and-services"><i class="anchor-icon"></i></a>Third-Party Applications and Services</h4>
|
||
<p>Apps developed by <strong>third parties</strong> using the open <a href="https://core.telegram.org/schema">Telegram API</a>, as well as bots running under <a href="https://core.telegram.org/bots/api">Telegram's Bot API</a>, can only be considered in scope if the report targets a <strong>vulnerability on our end</strong> (e.g. vulnerable endpoint which poses a security risk). </p>
|
||
<p>Issues caused by third-party developers' <strong>malpractice</strong>, <strong>negligence</strong> or <strong>incorrect implementation</strong> of our <a href="https://core.telegram.org/mtproto/security_guidelines">Security Guidelines</a> are <strong>out of scope</strong> and should instead be promptly reported to the relevant developers.</p>
|
||
<h3><a class="anchor" name="submission" href="#submission"><i class="anchor-icon"></i></a>Submission</h3>
|
||
<p>If you found an issue which is <a href="#program-scope">in scope</a>, is <a href="#non-qualifying-issues">eligible</a> and was found in accordance to our <a href="#rules-and-principles">rules</a>, you are welcome to submit it to <a href="mailto:security@telegram.org">security@telegram.org</a>.</p>
|
||
<p>We expect all reports to be written in English and to <strong>follow a consistent template</strong>, spacing included:</p>
|
||
<pre><code># Attack surface: (e.g. my.telegram.org/auth)
|
||
# Severity: (e.g. 7) [Optional, CVSS v3 rating]
|
||
|
||
## Description:
|
||
[Describe the vulnerability briefly here, including its type]
|
||
|
||
## Steps to reproduce:
|
||
[1] Step one...
|
||
[2] Step two...
|
||
[n] Finally...
|
||
|
||
## Impact:
|
||
[What practical, realistic risk does this vulnerability pose?]
|
||
|
||
## Additional details:
|
||
[Tools used, preconditions, media proof, session and timestamps as needed]</code></pre>
|
||
<h5><a class="anchor" name="third-party-bug-bounty-platforms" href="#third-party-bug-bounty-platforms"><i class="anchor-icon"></i></a>Third-Party Bug Bounty Platforms</h5>
|
||
<p>We ask for all submissions and correspondence to be sent <strong>directly</strong> to <a href="mailto:security@telegram.org">security@telegram.org</a> – Telegram currently does <strong>not</strong> maintain a presence on third-party bug bounty platforms or services.</p>
|
||
<h3><a class="anchor" name="prize" href="#prize"><i class="anchor-icon"></i></a>Prize</h3>
|
||
<p>Valid reports that result in a change of code or configuration are eligible for bounties, ranging from <strong>$100</strong> to <strong>$100,000</strong> or more, depending on the severity of the issue. We reserve the right to ultimately determine both the validity and the appropriate compensation for each report at our discretion.</p>
|
||
<blockquote>
|
||
<p>In general, <strong>app-level changes</strong> can expect bounties ranging from <strong>$100</strong> to <strong>$10,000</strong>. <strong>Protocol-level issues</strong> may be eligible for rewards of up to <strong>$100,000</strong> or more.</p>
|
||
</blockquote>
|
||
<hr>
|
||
<h4><a class="anchor" name="test-environment" href="#test-environment"><i class="anchor-icon"></i></a>Test Environment</h4>
|
||
<p>To log in to the <strong>test environment</strong>, use either of the following:</p>
|
||
<p><strong>iOS</strong>: tap 10 times on the Settings icon > Accounts > Login to another account > Test.<br><strong>Telegram Desktop</strong>: open ☰ Settings > Shift + Alt + Right click ‘Add Account’ and select ‘Test Server’.<br><strong>macOS</strong>: click the Settings icon 10 times to open the Debug Menu, ⌘ + click ‘Add Account’ and log in via phone number.</p>
|
||
<p>The test environment is <strong>completely separate</strong> from the main environment, so you will need to create a new user account (or a new bot with <a href="https://t.me/botfather">@BotFather</a>).</p>
|
||
<p>You can send requests to the test <a href="https://core.telegram.org/bots/api">Bot API</a> in this format:</p>
|
||
<p><code>https://api.telegram.org/bot<token>/test/METHOD_NAME</code></p>
|
||
<blockquote>
|
||
<p>When working within the test environment, you may use HTTP links without TLS to test Web Apps.</p>
|
||
</blockquote>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
</div>
|
||
</div>
|
||
<div class="footer_wrap">
|
||
<div class="footer_columns_wrap footer_desktop">
|
||
<div class="footer_column footer_column_telegram">
|
||
<h5>Telegram</h5>
|
||
<div class="footer_telegram_description"></div>
|
||
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
|
||
</div>
|
||
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/faq">About</a></h5>
|
||
<ul>
|
||
<li><a href="//telegram.org/faq">FAQ</a></li>
|
||
<li><a href="//telegram.org/privacy">Privacy</a></li>
|
||
<li><a href="//telegram.org/press">Press</a></li>
|
||
</ul>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/apps#mobile-apps">Mobile Apps</a></h5>
|
||
<ul>
|
||
<li><a href="//telegram.org/dl/ios">iPhone/iPad</a></li>
|
||
<li><a href="//telegram.org/android">Android</a></li>
|
||
<li><a href="//telegram.org/dl/web">Mobile Web</a></li>
|
||
</ul>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/apps#desktop-apps">Desktop Apps</a></h5>
|
||
<ul>
|
||
<li><a href="//desktop.telegram.org/">PC/Mac/Linux</a></li>
|
||
<li><a href="//macos.telegram.org/">macOS</a></li>
|
||
<li><a href="//telegram.org/dl/web">Web-browser</a></li>
|
||
</ul>
|
||
</div>
|
||
<div class="footer_column footer_column_platform">
|
||
<h5><a href="/">Platform</a></h5>
|
||
<ul>
|
||
<li><a href="/api">API</a></li>
|
||
<li><a href="//translations.telegram.org/">Translations</a></li>
|
||
<li><a href="//instantview.telegram.org/">Instant View</a></li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
<div class="footer_columns_wrap footer_mobile">
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/faq">About</a></h5>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/blog">Blog</a></h5>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/apps">Apps</a></h5>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="/">Platform</a></h5>
|
||
</div>
|
||
<div class="footer_column">
|
||
<h5><a href="//telegram.org/press">Press</a></h5>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<script src="/js/main.js?47"></script>
|
||
|
||
<script>backToTopInit("Go up");
|
||
removePreloadInit();
|
||
</script>
|
||
</body>
|
||
</html>
|
||
|