If you’re a hacker or a security researcher, this is a reminder that you don’t have to take on Google’s or Mozilla’s software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is.
Although Mega hasn’t shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs.
“This event was off the charts”
Gary Vaynerchuk was so impressed with TNW Conference 2016 he paused mid-talk to applaud us.
Mega also revealed the program classifies vulnerabilities based on their impact. Here are the six classes in order of most severe to least severe:
- Severity class VI: Fundamental and generally exploitable cryptographic design flaws.
- Severity class V: Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches.
- Severity class IV: Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem).
- Severity class III: Generally exploitable remote code execution on client browsers (cross-site scripting).
- Severity class II: Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation).
- Severity class I: All lower-impact or purely theoretical scenarios.
In the first week, no Class V and VI vulnerabilities were reported. Here’s the breakdown for the seven bug bounties:
- One Class IV vulnerability: Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.
- Three Class III vulnerabilities: i) XSS through file and folder names. Mitigating factors: None. Fixed within hours. Ii) XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours. iii) XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours.
- One Class II vulnerability: XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors – apart from the need to control an API server or successfully mounting a man-in-the-middle attack –: None. Fixed within hours.
- Two Class I vulnerabilities: i) HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome. Ii) X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.
Again, it’s not clear how much each of these bugs are worth. Kim Dotcom first offered up to a €10,000 (about $13,500) bounty for anyone who broke the company’s security systems and then made it official with the security program’s launch on February 2.
Since there were no high-class severity flaws reported in the first week, we can’t use that number. Kim Dotcom did, however, reveal information about one of the payouts in one of his retweets:
— The Hacker News™ (@TheHackersNews) February 10, 2013
This appears to be one of the class III severity bug discovered. It’s thus safe to say Mega has already paid out thousands of dollars in bug bounties during the first week of its security program.
Update at 11:45PM EST: Dotcom has confirmed to TNW that the above bounty was one of three Mega has paid out so far. All of them were fixed.
Image credit: Miguel Saavedra