Why Threema believes in bug bounty programs and pays up to CHF 10’000 for critical findings

Threema’s bug bounty program with GObugfree forms an integral part of their robust security management operations. Just months after launch, the Swiss pioneer increased the increased the bounty for critical vulnerability finds from CHF 4'000 to CHF 10'000.

GBF_Blog-Threema-belives-in-bug-bounty-programs.png

In May 2022,Threema GmbH and GObugfree AG jointly announced the relaunch of Threema’s public bug bounty program on GObugfree’s Swiss SaaS platform. Threema’s goal is to improve the security of its apps Threema and Threema Work by collaborating with the community of Friendly Hackers and experienced software experts through a public bug bounty program. Just months after launch, the Swiss pioneer increased the bounty levels to attract even more activity on the program.

A constantly evolving landscape

The cyber security landscape is constantly evolving. Advances in technology are making it easier for hackers to gain intel about potential targets, as well as providing them with new ways and automated tools to carry out their attacks.

The messenger’s whole raison d’être is to provide a secure and privacy-friendly messenger service. As such, Threema makes it their business to be acutely aware of the current and upcoming risks in cyberspace. And to arm themselves appropriately to stave off potential intruders.

Threema: In a league of its own

While they may look similar on the outside, Threema is fundamentally different from its competitors. Put simply, Threema adheres to the “privacy by design” principle and the others (like WhatsApp, Signal and Telegram), do not. Threema believes its users should be able to communicate without having to worry about privacy and security. It is the only service that can be used anonymously, i.e., without providing personally identifiable information (such as a phone number or email address). Threema operates and runs all its own servers, and there are no cloud or hosting services (such as Amazon AWS or Google Cloud) involved. Finally, all business decisions and software development are based on user’s security and data protection.

With Signal, providing a phone number is mandatory. Although Signal is also designed with security and data protection in mind, because it’s a US service, it is subject to the CLOUD Act, which entitles US authorities to access the service provider’s data.

WhatsApp has weak privacy protection because of its business model. Meta (Facebook), who own WhatsApp, is financed by selling targeted advertisements. This business model requires as detailed user information as possible. Therefore, WhatsApp cannot be used without disclosing personally identifiable information, and user data is used by Meta for marketing purposes.

Telegram is a cloud solution and cannot be considered “secure” by any definition of the word: Not only are messages not end-to-end encrypted by default, they are permanently stored on a server, where the service provider (or hackers) could read them at any time.

Protecting user data is Threema’s top priority

Threema’s service can be used without providing any personal data whatsoever, and the system is designed from the ground up to generate as little user data as technically possible. Groups and contact lists are managed on the users’ devices, not on the server. Messages are deleted immediately upon delivery, no log files are created, and no personally identifiable information is collected. Threema’s servers assume the role of a switch; messages and data are forwarded, but not permanently stored.

The connection between the app and the servers is secure against man-in-the-middle (MITM) attacks because the server authenticates itself to the app based on a public key that is hard-coded into the app and whose corresponding secret key is only known by the legitimate servers.

Threema carries out regular security audits and penetration testing, in addition to operating a public bug bounty program with GObugfree.

The bug bounty program harnesses the creative power and intelligence of the crowd and gives us an outside perspective. By inviting hackers from all walks of life to probe services, we test our systems continuously for a wider range of vulnerabilities.
Roman Flepp, Head of Marketing and Member of Management Board at Threema

Harnessing the crowd intelligence of friendly hackers

GObugfree manages Threema’s public bug bounty program. Under this setup, friendly hackers are invited to uncover and report security vulnerabilities on systems before they become an issue. Confirmed findings are rewarded with a financial bounty, according to their severity. It’s a white box approach, meaning testing happens from different angles, not according to predefined cases and scripts.

Roman Flepp, Head Marketing and Member of Management Board at Threema sees advantages to this approach: “The bug bounty program harnesses the creative power and intelligence of the crowd and gives us an outside perspective. By inviting hackers from all walks of life to probe services, we test our systems continuously for a wider range of vulnerabilities.” With the known shortage of professionals, this technique gives access to experienced independent professionals from across the globe.

Additionally, it is an on-going programme, meaning that there is continuous testing.

In GObugfree, we found a young startup team and a group of professionals who are as passionate about security as we are.
Roman Flepp, Head of Marketing and Member of Management Board at Threema

A bug bounty program is integral to robust security management operations

In the past, Threema ran their own bug bounty program. But it required a lot of resources to maintain. The effort required to vet researchers, evaluate, cross-check and validate findings and administer payouts with a wide-reaching public program should not to be underestimated.

In the words of Roman Flepp, Head of Marketing and Member of Management Board at Threema: “In GObugfree, we found a young startup team and a group of professionals who are as passionate about security as we are. GObugfree offers a fully managed programme, meaning they look after all the grunt work so that we can devote our time to fixing any reported vulnerabilities - and further developing our products.”

Hackers are not standing still. In the same way as businesses adjust their products and services to the external market environment, so too do companies need to continually adapt and expand their security measures to stay ahead of the curve. Threema’s bug bounty program with GObugfree forms an integral part of their robust security management operations designed to protect users’ data and privacy.


The first Threema version was released on December 12, 2012 in Apple’s App Store. A few months later came the first Android version. The user base quickly grew to 250,000. Today there are about 11 million Threema users.

In addition to a private version, Threema also offers a corporate solution, Threema Work, which is the trusted internal message choice of thousands of companies and organizations worldwide.