With respect, I think what you are suggesting would only complicate the evaluation of this complex situation. Dropping relevant context and focusing only on a specific action is not the way to reach a rational conclusion.
In my view, we must integrate this action on the part of Telegram with all of the other things we know about the situation. That's a tall order, because it means integrating this specific action (paying the $100K) with many other topics, such as the various people making claims, their expertise and possible motivations, computer cryptography and computer security, strategies that companies sometimes use to gain access to personal information, the dangers posed by weak cryptography, etc.
Only when all of the facts square with each other will we have a rational basis for trusting Telegram Messenger and the people behind it.
Don't get me wrong, I lean towards the "Telegram's security is a joke and the contest is even more so" camp. I was commenting solely on the specific issue: that if someone uncovers a flaw in your software and you pay out in order to get some good publicity, the fact remains that you've still done a good thing by paying out.
> Unless it turned out they'd set the whole thing up
That's an important question, really curious to know if the user x7mz steps up to take the reward and if telegram would release any proof of payment (minus any obvious info that would give away the identity of x7mz).
This vulnerability seems to be connected to Diffie-Hellman, right? Even a rudimentary search shows that a MITM is easy on it. I wonder if its even possible that they did not know this one?
