February 2nd 2013
Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs (Forbes and ars technica published two of the worst examples). We have, however, also suffered three direct hits, and we want more! To improve MEGA's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.
What types of bugs qualify?
Remote code execution on any of our servers (including SQL injection)
Remote code execution on any client browser (e.g., through XSS)
Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data
Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data
Any issue that jeopardizes an account's data in case the associated e-mail address is compromised
What types of bugs do not qualify?
Any issue requiring active victim participation, such as phishing and social engineering attacks
Any issue resulting from users choosing weak passwords
Any issue requiring a very significant number of server requests to exploit
Any issue requiring a compromised client machine
Any issue requiring an unsupported or outdated client browser
Any issue requiring physical data centre access (see below for limited scope scenarios that allow for compromised servers)
Vulnerabilities in third party-operated services (e.g. resellers)
Any overloading/resource exhaustion/denial of service-type of attacks
Anything relying on forged SSL certificates
Anything requiring extreme computing power (2^60 cryptographic operations+) or a working quantum computer. This includes allegedly predictable random numbers - you qualify only if you are able to show an actual weakness rather than general conjecture.
Any bugs that are unrelated to the integrity, availability and confidentiality of user data
2Compromised user storage node (*.userstorage.mega.co.nz)Let's assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don't have its key. Can you manipulate its content so that it still downloads without error?
3Compromised core infrastructure (*.api.mega.co.nz)This is the most extreme scenario. Let's assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?
Bonus bounty - earn the maximum reward: Brute-force challenge
Send us the key that decrypts this file:
Send us the password encoded in this signup confirmation link:
How much can I earn?
We offer up to EUR 10,000 per bug, depending on its complexity and impact potential.
Who is eligible?
The first finder of the bug. Bugs reported by third parties are typically not considered for a reward.
What is the disclosure policy?
You are free to disclose your finding to the general public after we confirm to you that the issue has been resolved.
Who makes the decision?
The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final.
How do I submit my finding?
Send an e-mail to firstname.lastname@example.org.