After, Mega is paying researchers and hackers alike to deliver even more punishment in order to improve its security.
Opening its Vulnerability Reward Program over the weekend, Mega is offering up to 10,000 euros for undiscovered bugs. The scope of the program has been limited to bugs that allow unauthorised access to keys or unencrypted data, could permit the destruction of keys and data, and/or expose users' email addresses.
In addition, Mega is accepting any bug that allows remote code execution either on client browser (such as using cross-site scripting flaws to dump and send session cookies to a third party), or on Mega's own servers (such as SQL injection to dump database contents).
The scope of the program has been additionally defined by a number of restrictions to eliminate bugs that are either trivial or have consequences that could exist for the wider web, rather than just Mega. These range from users picking weak passwords or having an insecure machine to start with, to exploits that first require a third-party service to be exploited, or even those that require a quantum computer.
Compromising Mega's servers will also not be enough to attract the maximum reward. Mega has three separate scenarios for attackers that manage to compromise its static content, storage, and API servers, requiring attackers to demonstrate that by gaining access to these servers, they are then able to actually compromise users.
To gain the maximum reward, Mega has two challenges. The first simply asks would-be attackers to download and decrypt a certain file from Mega's servers in order to test its security model.
The second is a jab at recent work by Steve Thomas who created MegaCracker, a tool to extract the hashed password from the confirmation emails sent by Mega at the time of sign up. Mega has provided a signup confirmation link, challenging anyone to provide the password in it. If a sufficiently complex password is picked, it should be near-impossible to determine without significant computing power.