Telegram User Privacy Violated Again. Messenger Representatives Demand No Disclosure

Foreword

I found a vulnerability in the confidential messaging feature of the Telegram messenger. Messages that were supposed to auto-delete for participants in private and group chats were only deleted visually (the message window was cleared), while in reality the image messages remained on devices in an open cache.

Telegram offered me a reward for the bug report, but attached an 8-page contract to it.

I'll describe the whole sequence of events from start to finish. Most of my emails are in the screenshots.

The Timeline

March 5, 2021 — The Report

I submitted a vulnerability report to security@telegram.org, describing the issue: on Android devices (versions 7–10), when using the auto-delete message feature, images were not actually deleted from the device. They remained accessible at the path:

/Storage/Emulated/0/Telegram/Telegram Image

The images stayed in this folder in the clear, available to anyone with access to the device — which completely defeated the purpose of the auto-delete feature.

March 7, 2021 — First Response

I received a reply acknowledging the report, with a promise to notify me soon. Then months of silence followed, punctuated by repetitive promises of "soon."

May 14, 2021 — Pressure

A threat to publish in the media finally forced Telegram to react more seriously.

July 8 – September 5, 2021 — Extended Correspondence

There was a long exchange of messages where Telegram kept promising updates but provided no concrete timeline for fixing the vulnerability.

September 5, 2021 — The Bounty Offer

Telegram offered a reward of €1,000. For context, a previous vulnerability (CVE-2019-16248) had earned another researcher $2,500 with the right to publish. My vulnerability was arguably more severe — it affected the core privacy promise of the auto-delete feature.

September 17, 2021 — The Contract

Telegram sent an 8-page contract with extremely restrictive confidentiality clauses. Key provisions included:

• A ban on disclosing any confidential information at any time after termination — with no expiration date
• The confidentiality requirement extended even to tax documentation related to the bounty payment
• No right to publish any details about the vulnerability, even after it was fixed
• Written approval from Telegram required for any mention whatsoever

After the Contract

I sent a response with questions about specific clauses and asked whether the terms could be revised. I pointed out that other bug bounty programs (including those of much larger companies) do not impose such draconian confidentiality requirements, and that the standard practice is to allow disclosure after a fix is deployed.

Telegram never replied to my clarification questions. Communication simply stopped.

Additional Issues

After reporting the vulnerability, I received a beta version of the app that was supposed to contain the fix. However, this beta introduced additional bugs: manual message deletion was now broken too. Ironically, this was a more severe issue — and in a previous case, Telegram had paid five times more ($5,000) for a similar bug.

The Result

I never received the bounty. The vulnerability was eventually assigned CVE-2021-41861 after the publication of this article.

The core issue remains: Telegram positions itself as a secure, privacy-first messenger. Yet when a security researcher responsibly disclosed a critical flaw in one of its flagship privacy features, the company responded with months of delays, a low-ball offer, an oppressive NDA, and ultimately — silence.

Draw your own conclusions.