They offered rewards of up to 10,000 Euros per bug, depending on its complexity and impact potential, and have also offered the maximum reward for anyone who can break Mega's open source encryption scheme.
A little over a week later, they revealed that seven bugs have been discovered and reported, but that nobody managed to crack any of the brute-force challenges.
They also explained a little bit more on how the found vulnerabilities will be classified:
- Severity class VI: Fundamental and generally exploitable cryptographic design flaws
- Severity class V: Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches
- Severity class IV: Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)
- Severity class III: Generally exploitable remote code execution on client browsers (cross-site scripting)
- Severity class II: Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation)
- Severity class I: All lower-impact or purely theoretical scenarios.
According to TNW, Kim Dotcom has confirmed that three of the bounties have already been paid out, and that a tweet by The Hacker News revealed that the report on one of the XSS vulnerabilities was rewarded with 1,000 Euros.
"It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction," the company concluded in a blog post, adding that they hope that future submissions will include some that address higher-level and conceptual issues.