Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
30/06/2015
MEGA logo
Thanks
Gift
Hall of Fame
Reward

MEGA

The MEGA Vulnerability Reward Program

February 2nd 2013

by: Admin

Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs (Forbes and ars technica published two of the worst examples). We have, however, also suffered three direct hits, and we want more! To improve MEGA's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.

What types of bugs qualify?

Remote code execution on any of our servers (including SQL injection)

Remote code execution on any client browser (e.g., through XSS)

Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data

Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data

Any issue that jeopardizes an account's data in case the associated e-mail address is compromised

What types of bugs do not qualify?

Any issue requiring active victim participation, such as phishing and social engineering attacks

Any issue resulting from users choosing weak passwords

Any issue requiring a very significant number of server requests to exploit

Any issue requiring a compromised client machine

Any issue requiring an unsupported or outdated client browser

Any issue requiring physical data centre access (see below for limited scope scenarios that allow for compromised servers)

Vulnerabilities in third party-operated services (e.g. resellers)

Any overloading/resource exhaustion/denial of service-type of attacks

Anything relying on forged SSL certificates

Anything requiring extreme computing power (2^60 cryptographic operations+) or a working quantum computer. This includes allegedly predictable random numbers - you qualify only if you are able to show an actual weakness rather than general conjecture.

Any bugs that are unrelated to the integrity, availability and confidentiality of user data

Any claims that reading and understanding our JavaScript code is successful cryptanalysis in itself - while it may be cryptic, it is not encrypted

Special scenarios

1Compromised static CDN node (*.static.mega.co.nz)Let's assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security? Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded!

2Compromised user storage node (*.userstorage.mega.co.nz)Let's assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don't have its key. Can you manipulate its content so that it still downloads without error?

3Compromised core infrastructure (*.api.mega.co.nz)This is the most extreme scenario. Let's assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?

Bonus bounty - earn the maximum reward: Brute-force challenge

Send us the key that decrypts this file:

Send us the password encoded in this signup confirmation link:

How much can I earn?

We offer up to EUR 10,000 per bug, depending on its complexity and impact potential.

Who is eligible?

The first finder of the bug. Bugs reported by third parties are typically not considered for a reward.

What is the disclosure policy?

You are free to disclose your finding to the general public after we confirm to you that the issue has been resolved.

Who makes the decision?

The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final.

How do I submit my finding?

Send an e-mail to bugs@mega.co.nz.

FireBounty © 2015-2019

Legal notices