Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on February 2, 2013

Kim Dotcom launches Mega vulnerability reward program, offering up to $13,500 per bug


Kim Dotcom launches Mega vulnerability reward program, offering up to $13,500 per bug

Kim Dotcom has officially launched his Mega vulnerability reward program that was announced last week. As we reported earlier, the founder of Mega, the newly launched file storage service, is challenging anyone to report a previously unknown security-relevant bug or design flaw. The enticement? He’s offering up to €10,000 per bug (approx. US$13,580), “depending on its complexity and impact potential.”

With this reward program, Kim Dotcom seeks to further improve his new service’s security system. He says that right after the launch, Mega’s security model and implementation came “under intense crossfire” (especially from Ars Technica and Forbes) and has also suffered several attacks. And it’s hoping for more so it can learn to better defend itself from unauthorized intrusions and bolster its protection.

It’s important to note that participants could receive up to €10,000 so it’s critical to understand what bugs qualify. According to the company:

  • Remote code execution on any of our servers (including SQL injection)
  • Remote code execution on any client browser (e.g., through XSS)
  • Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data
  • Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data
  • Any issue that jeopardizes an account’s data in case the associated e-mail address is compromised

Only those who are determined to be the “first finder of the bug” are eligible for the prize, and those reported by third-parties are not typically considered for the reward.

As part of this program, Mega has presented three special scenarios for hackers to try and solve:

  1. Compromised static CDN node (*.static.mega.co.nz): Let’s assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security? Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded!
  2. Compromised user storage node (*.userstorage.mega.co.nz): Let’s assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don’t have its key. Can you manipulate its content so that it still downloads without error?
  3. Compromised core infrastructure (*.api.mega.co.nz): This is the most extreme scenario. Let’s assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?

Dotcom is also tossing in another option to reap the reward: the brute-force challenge. With this program, anyone who can send him the key that decrypts a specific file along with the password encoded in a signup confirmation link could be eligible to receive the maximum reward.

The company says that anyone who finds a bug can submit it to bugs@mega.co.nz.

The timing of Mega’s vulnerability reward program is interesting, especially in light of the cyberattacks made on the Washington Post, The New York Times, and the Wall Street Journal. Additionally, the world found out today that Twitter was also a target of an attack that occurred this week.

Mega launched just two weeks ago and is storing nearly 50 million files. After just one day online, it passed a million registered users. On January 31, Dotcom announced his new initiative via Twitter:

Dotcom has certainly kept the site busy. Mega has just recently blocked a third-party search engine, Mega-Search.me, from accessing publicly available files shared by its users. It says it did so not only because the search engine used Mega’s branding without its permission, but also that it didn’t have a Digital Millennium Copyright Act (DMCA) takedown policy or registered agent.

Protecting the company and its users is an important thing for Dotcom, especially if it’s from the government. When we asked him whether Mega would follow the same fate as his previous endeavor, Megaupload, he said it would be an entirely different situation. With Mega, the site is built purely in HTML5 and only supports Chrome. Additionally, the site doesn’t use any existing technology. Dotcom says that the servers were built from the ground up that he believes will prevent it from being exploited — because it’s his own technology.

As a result of having one’s own custom technology, a potential disadvantage is that extensive testing must be done in order to flush out all vulnerabilities. Mega is now crowdsourcing to make sure that it’s protected from any and all dangers.

Photo credit: Bala Sivakumar/Flickr

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with