Dotcom tempts fate with €10,000 reward programme
Kim Dotcom is putting his money where is mouth is with a €10,000 reward programme for up anyone who finds a crypto or security bug with his new file sharing service Mega (I use "his" in the loose sense here since in real-world terms Mega is 90% owned by a trust controlled by his wife, and run by Tony Lentino. Of course this is not the real world, but on the sometimes looney, sometimes brilliant Planet Kim Dotcom).
There are a number of provisos: we're talking "up to" €10,000. The amount depends on the complexity of the vulnerability identified. And various elements are not covered - from the obvious (social engineering) to the the less so, such as those involving a "weak password" (so why allow one?) or an "outdated" web browser.
But all-in-all, it looks like the Mega crew now has enough confidence the service's security to let the competition begin (Dotcom first mentioned possible cash rewards a couple of days after Mega's January 20 launch).
A Mega blog post announcing the cash rewards begins:
Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs (Forbes and ars technica published two of the worst examples). We have, however, also suffered three direct hits, and we want more! To improve MEGA's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.
In a blog post, Mega chief technology officer Mathias Ortmann rebutted points raised by Forbes in detail, but did not raise substantive objections to the Ars Technica piece.
Earlier, NBR ONLINE passed on a request from Ars Technica security writer Lee Hutchison, asking for a two or three sentence response to each of the major points he had made.
Ortmann replied, "Ars does not make blatant factual errors."
In brief, Hutchison argued that Mega's decision to have web browser-based security and encryption makes things easier for users, and for Mega to deploy updates, but makes the service more vulnerable to exploits overall.
If you can spot one, €10,000 could be yours.
That would be a smart line to end on. But I'll just add that while a touch peevish and defensive, overall the Mega crew has been pretty open about crypto and security. Imagine if Novopay developer Talent2 left a blog post response to each major criticism, or run a public bug bounty (an increasingly popular practice).
And neither does Mega claim a perfect record so far. There was initial overload, of course, with the German-hosted service. And in a January 22 email to NBR, Ortmann acknowledged "a cross-site scripting issue [that] was a huge egg in our faces. However, it was fixed within an hour of being reported to us."
But while the success of Mega still hangs very much in the balance, but I don't think anyone could accuse Kim and co. of being secretive about its setup.