First week at MEGA Bounty Program, paid out thousands of dollars for seven Bugs

One week after launching a Bug bounty program by the Kim Dotcom’s new file-storage and sharing service MEGA claims to have fixed seven vulnerabilities. Although Mega hasn’t shared how much money and to whom it paid out in the first week. But as promised, it is clear that MEGA paid out thousands of dollars in bug bounties during the first week of its security program.

We found bug hunter yesterday (tweeted)- _Mr. __Frans Rosén_received 1000 Euros in the bug fixing challenge. This tweet was also Re-tweeted by Kim Dotcom later, that confirmed Frans’s class III bugs reward.

> Congratulations @fransrosen for XSS in #MEGA. Handsome EUR 1000 in Bug Bounty Program twitter.com/fransrosen/sta…
— The Hacker News™ (@TheHackersNews) February 10, 2013

In a blog post, Mega explained how it classifies vulnerabilities and their impacts. Vulnerabilities were classified into VI classes, withI being the lowest risk andVI being the highest.

Seven qualified bug details are as shown below:

But the previous challenge to brute force the password from the confirmation link sent at sign up, or decrypt one of its hosted files, has remained unbroken.

“We believe that it would be premature to draw any conclusions at this time barely three weeks after our launch and one week into the program. It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction.” Mega Blog post said.