I actually have a theory that this is all a scam... the person who found the bug is actually the authors (or a friend) of the Telegram protocol. They published the security issue and reward themselves so that 1) they don't have to pay anyone else; 2) they get good publicity by doing this; 3) shut others up up front as this is really a very easy bug to figure out (a few others hinted the possibility as the key exchange is unautenticated DH, which is bound to flaws like this)
