Mega Starts Paying Researchers for Vulnerabilities, Though It's Not Naming Them
Mega's rewards program is under way and three security researchers have already been paid
Mega has been available for a few weeks now, but the cloud storage service is still getting attention. A short while ago, Kim Dotcom promised to start a security vulnerability rewards program, after the site had seen quite a lot of scrutiny from security experts.Now, Mega is reporting on the first bugs found and patched via this program. Seven vulnerabilities were fixed in total, some more serious than others.
Mega also listed six types of vulnerabilities that it will be rewarding people for, grouped based on their severity, with level six being the most dangerous. The most serious vulnerability fixed in the first round was a level four.
The program is here to stay, so expect more of these vulnerabilities to be discovered and fixed in time. Mega didn't reveal who found the bugs and how much it's paying for them, which may be a bit of a problem for the people looking for them.
For the experts, getting their names recognized is as important as or maybe even more important than the money they make from these programs.
Dotcom has confirmed that one researcher, Frans Rosén got €1,000 or $1,337 for an XSS vulnerability. Incidentally, that's exactly how much Google pays for this type of vulnerability as well.