Kim Dotcom Reveals The MEGA Vulnerability Reward Program Offering Up To €10,000 Per Bug

 MEGA Logo

Kim Dotcom has announced the Vulnerability program for his new Cloud Storage site, MEGA today and is offering up to €10,000 (USD$13,600) per bug found.

The bounty is being offered not only as a way for the company to get security researchers and hackers interested in  finding serious bugs and flaws, but also due to the security issues that were bought to light by Forbes and Ars Technica last week. This kind of testing is not only crucial, but pivotal for a company that people will be trusting to store their data in the Cloud which is why MEGA are hoping that more bugs might be found so that they are able to further increase the security of the site and servers against future attacks. The release of this program comes just a day after Twitter revealed that approximately 250,000 users accounts were compromised during an attack on their servers, due to the weakness of Java, giving the attackers access to limited user information including usernames, email addresses, session tokens and encrypted/salted versions of passwords. This is why it is crucial for companies such as MEGA to offer rewards to researchers and hackers to find such vulnerabilities.

Other notable companies who are involved in similar schemes are Google, Microsoft, Mozilla and Apple who invite hackers to find vulnerabilities in their software at the now famous Pwn2Own competition held annually at CanSecWest. The prizes vary at Pwn2Own and HP, who are sponsoring the event, have this year increased the rewards by quite a bit. See here for the 2013 Pwn2Own rules.

HP is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category. All prizes are in US currency.

  • Web Browser

Google Chrome on Windows 7: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
Microsoft Internet Explorer, either:

  1. IE 10 on Windows 8: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000), or
  2. IE 9 on Windows 7: $75,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
  • Mozilla Firefox on Windows 7: $60,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
  • Apple Safari on OS X Mountain Lion: $65,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
  1. Adobe Reader XI ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
  2. Adobe Flash ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
  3. Oracle Java ($20,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)

Below are the specifics, posted via the MEGA blog,  for what type of bugs and vulnerabilities will qualify for a reward of up to €10,000. Note that not all vulnerabilities will qualify for the maximum reward of  €10,000, and the finding of lesser security related bugs will be rewarded depending of the complexity and nature of the bug.

What types of bugs qualify?

  • Remote code execution on any of our servers (including SQL injection)
  • Remote code execution on any client browser (e.g., through XSS)
  • Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data
  • Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data
  • Any issue that jeopardizes an account’s data in case the associated e-mail address is compromised

What types of bugs do not qualify?

  • Any issue requiring active victim participation, such as phishing and social engineering attacks
  • Any issue resulting from users choosing weak passwords
  • Any issue requiring a very significant number of server requests to exploit
  • Any issue requiring a compromised client machine
  • Any issue requiring an unsupported or outdated client browser
  • Any issue requiring physical data centre access (see below for limited scope scenarios that allow for compromised servers)
  • Vulnerabilities in third party-operated services (e.g. resellers)
  • Any overloading/resource exhaustion/denial of service-type of attacks
  • Anything relying on forged SSL certificates
  • Anything requiring extreme computing power (2^60 cryptographic operations+) or a working quantum computer. This includes allegedly predictable random numbers — you qualify only if you are able to show an actual weakness rather than general conjecture.
  • Any bugs that are unrelated to the integrity, availability and confidentiality of user data
  • Any claims that reading and understanding our JavaScript code is successful cryptanalysis in itself — while it may be cryptic, it is not encrypted

Special scenarios

1. Compromised static CDN node (*

Let’s assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security? Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded!

2. Compromised user storage node (*

Let’s assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don’t have its key. Can you manipulate its content so that it still downloads without error?

3. Compromised core infrastructure (*

This is the most extreme scenario. Let’s assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?

Bonus bounty — earn the maximum reward: Brute-force challenge

  • Send us the key that decrypts this file:!FV4zmLKQ
  • Send us the password encoded in this signup confirmation link:

How much can I earn?

We offer up to EUR 10,000 per bug, depending on its complexity and impact potential.

Who is eligible?

The first finder of the bug. Bugs reported by third parties are typically not considered for a reward.

What is the disclosure policy?

You are free to disclose your finding to the general public after we confirm to you that the issue has been resolved.

Who makes the decision?

The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final.

How do I submit my finding?

Send an e-mail to

It will be interesting to see who is the first to find a major vulnerability and gain the maximum rewards from MEGA. Clocks ticking…..

%d bloggers like this: