Monday, February 04, 2013

Mega security vulnerability program launches; offers nearly $14,000 per bug found

Security to his new Mega service, protecting both founder Kim Dotcom and end users against, say, copyright infringement accusations. Dotcom on Saturday tweeted a challenge to anyone, worth up to €10,000 per bug (approx. $13,660): Find security bugs in Mega.

His tweet said:
The #Mega crypto & security REWARD PROGRAM is live. Earn up to 10,000 EURO per vulnerability. https://mega.co.nz/#blog_6
One thing to be clear on is that the Mega Crypto and Security Reward Program, as it is called, offers "up to" €10,000 per bug. The bug must be a previously unknown security-relevant bug or design flaw and the amount of the reward “depends on its complexity and impact potential.”

According to the company, the following types of security issues apply:
  • Remote code execution on any of our servers (including SQL injection)
  • Remote code execution on any client browser (e.g., through XSS)
  • Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data
  • Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data
  • Any issue that jeopardizes an account’s data in case the associated e-mail address is compromised
Anyone who finds a bug can submit it to bugs@mega.co.nz.

Dotcom has also issued a brute-force challenge. With the program, anyone who can send him the key that decrypts a specific file along with the password encoded in a signup confirmation link could be eligible to receive the maximum €10,000 reward.

Mega launched just two weeks ago and it is already storing nearly 50 million files. It passed a million registered users after its first day.

After his experience with MegaUpload, Dotcom is being supremely careful with Mega. In fact, Mega just recently blocked a third-party search engine, Mega-Search.me, from accessing publicly shared Mega files. Mega said the block was done because not only because the Mega-Search.me use the site's branding without permission, but also because Mega-Search.me didn’t have a DMCA takedown policy or a registered agent.

Mega is built purely in HTML5 and the only supported browser is Chrome -- due to its robust HTML5 implementation (although users can try others). The servers were built from from scratch, meaning that it should not be exploitable.

On the other hand, the disadvantage of proprietary technology is that extensive testing must be undertaken, both now and after site upgrades, in order to detect all possible vulnerabilities. That is why Dotcom has opened up the new program; it essentially crowdsources testing of the site.



No comments: