Member log in

Dotcom tempts fate with €10,000 reward programme

Kim Dotcom is putting his money where is mouth is with a €10,000 reward programme for up anyone who finds a crypto or security bug with his new file sharing service Mega (I use "his" in the loose sense here since in real-world terms Mega is 90% owned by a trust controlled by his wife, and run by Tony Lentino. Of course this is not the real world, but on the sometimes looney, sometimes brilliant Planet Kim Dotcom).

There are a number of provisos: we're talking "up to" €10,000. The amount depends on the complexity of the vulnerability identified. And various elements are not covered - from the obvious (social engineering) to the the less so, such as those involving a "weak password" (so why allow one?) or an "outdated" web browser. 

But all-in-all, it looks like the Mega crew now has enough confidence the service's security to let the competition begin (Dotcom first mentioned possible cash rewards a couple of days after Mega's January 20 launch).

A Mega blog post announcing the cash rewards begins: 

Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs (Forbes and ars technica published two of the worst examples). We have, however, also suffered three direct hits, and we want more! To improve MEGA's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.

In a blog post, Mega chief technology officer Mathias Ortmann rebutted points raised by Forbes in detail, but did not raise substantive objections to the Ars Technica piece.

Earlier, NBR ONLINE passed on a request from Ars Technica security writer Lee Hutchison, asking for a two or three sentence response to each of the major points he had made.

Ortmann replied, "Ars does not make blatant factual errors." 

In brief, Hutchison argued that Mega's decision to have web browser-based security and encryption makes things easier for users, and for Mega to deploy updates, but makes the service more vulnerable to exploits overall.

If you can spot one, €10,000 could be yours.

That would be a smart line to end on. But I'll just add that while a touch peevish and defensive, overall the Mega crew has been pretty open about crypto and security. Imagine if Novopay developer Talent2 left a blog post response to each major criticism, or run a public bug bounty (an increasingly popular practice).

And neither does Mega claim a perfect record so far. There was initial overload, of course, with the German-hosted service. And  in a January 22 email to NBR, Ortmann acknowledged "a cross-site scripting issue [that] was a huge egg in our faces. However, it was fixed within an hour of being reported to us."

But while the success of Mega still hangs very much in the balance, but I don't think anyone could accuse Kim and co. of being secretive about its setup.

More by Chris Keall

More on:

Comments and questions

This is a great idea, but it's also not a new idea. Google and various other large software companies have had similar bounty programmes for years.

RSA been running these since early 90s

But will NSA apply?

But will they pay by sending bitcoins to an anonymous Bitcoin address?

Some offer. More hooks than kite fishing.

Realistic "hooks" though - if you choose a short password or give someone else your password then that's your stupidity, not a problem with the site.

Most sites nowdays test for very weak passwords or at least enforce a minimum password length. I was surprised that Mega didn't and I do think this is something they should fix.

The scary thing about Novapay is that 4 other government departments signed it off.

When you include IT privacy breaches at Work & Income, one has to start wondering if NZ Government has employed a bunch of nitwits.

As developer, I have seen some of the Novapay system via a teacher friend. It reminds me of how we USE to develop websites back in 1999.

Heads should be rolling in this debacle.

The very fact that you created this "program" makes it a double-edged sword. So you are able to discover bugs and you fix them immediately and make the site more secure. But it takes time! Meanwhile, hackers assail the site make user data unsafe.

Some of the security issues that are being raised hold Mega to a ridiculous standard. For example, it is unrealistic to expect Mega to verify whether or not the user's machine is compromised. Spy agencies have to worry about that kind of thing. But Mega need not. Whether or not my machine can be pwned is my problem not Mega's. If I was worried about that possibility I'd be running off an encrypted partition. Anyway, if someone else pwns my machine then I have much bigger problems than whether they can use it to access my bitlocker service.