[hazz]

This would make sense if cryptography was a young field, but this iteration and improvement has been going on for thousands of years (and modern digital cryptography has been developing for the better half of a century). It is known how to implement cryptography securely. Just as you would expect bridges built today to stay up, and doctors working today to be properly trained, you should expect cryptography implementations to be sensible and secure, or at least not try to carve a new, experimental path when people's lives are potentially at stake.

[nationcrafting]

On the other hand, think about the benefits we get from seeing a bug in the software, and then seeing that Telegram have fixed it within the hour. Until a bug is shown and fixed, you don't even know whether it exists or not. So, you have doubt. But once it's exposed, and fixed, your attention is brought to an aspect of the software that you now know is good. The doubt is reduced. Which is a good thing.

[aioprisan]

That assumes that there are people with enough expertise and time to point out these flaws and the company actually listens to them. Something like an http/https grep is easy enough to do and doesn't require a lot of deep technical knowledge about how crypto works and should be designed, but someone doing an analysis of their entire algorithm and architecture for free and point it out to them? Forget about it. Especially since their "bounty" program has very specific parameters for what is acceptable to get any prize money.

[nationcrafting]

>and the company actually listens to them.

So far, Telegram have been listening a lot to people pointing out errors, and fixed their errors promptly.

>for free and point it out to them? Forget about it.

It doesn't appear to be for free: aside from their bounty program, Telegram have been rewarding various troubleshooters with pretty decent ex gratia payments in bitcoin. In the article linked to this title, the first comment was from Telegram, asking the author to contact them for a reward.

[aioprisan]

They haven't been transparent about the amounts nor about the parameters of the initial bounty, which does not mean that the algorithm is safe, but rather that it wouldn't be worth the reward in effort to expose a vulnerability in the exact specified way by the authors.