Mega launches vulnerability reward program

Mega's founders offer to pay up to $13,600 for every serious security flaw found in the platform and reported responsibly

By Lucian Constantin, IDG News Service |  Internet

For example, Mega's administrators said that "anything requiring extreme computing power (2^60 cryptographic operations+) or a working quantum computer" doesn't qualify for a reward. "This includes allegedly predictable random numbers -- you qualify only if you are able to show an actual weakness rather than general conjecture," they said.

In a follow-up discussion on Twitter between Mega's chief programmer Bram van der Kolk and Nadim Kobeissi, developer of the encrypted instant messaging program Cryptocat, Kobeissi said: "Dude, your hashing algorithm has collisions in the space 2^64, and you think that 'doesn't qualify'???"

As part of the vulnerability reward program announced on Saturday, Mega has also launched a brute-force challenge that offers the maximum reward of $13,600 to anyone who decrypts a particular file encrypted with Mega's encryption scheme or to anyone who can crack the password from a hash included in a sign-up confirmation link.

Two weeks ago, a researcher named Steve Thomas, known online as "Sc00bz," released a tool called MegaCracker that can extract password hashes from Mega sign-up confirmation links sent via email and can attempt to crack them using a dictionary attack.

In response, Mega's administrators said at the time that the tool is "an excellent reminder not to use guessable/dictionary passwords." The new password hash cracking challenge is likely aiming to underscore that point by using a very strong password that cannot easily be recovered using dictionary attacks.

The value of each reward will be decided on a case by case basis by the Mega administrators depending on the flaw's complexity and potential impact. "The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final," the Mega administrators said.

If the same bug is reported by multiple individuals, only the person who reported it first will earn the reward. After the bug has been patched, the reporter is free to disclose it to the general public.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness