Dotcom offers €10,000 Mega bounty for bugs

Kim Dotcom's Mega filesharing service has been criticised heavily by internet security experts for how it encrypts user files, but the Kiwi service is hitting back with a €10,000 (NZ$16,000) bounty for vulnerabilities found on the site.

The bounty was introduced last week with a blogpost on the Mega website, which claims the site has already been attacked three times without being breached.

"And we want more," boasts Mega.

Mega's €10,000 comes with several caveats, namely the amount offered will depend on the level of complexity of the vulnerability as judged by Mega.

Remote code injections, bypassing access controls, or compromising the actual encryption can claim the reward, but phishing and other social hacks do not qualify.

In addition, there are two bonus bounties which challenges would-be hackers to decrypt a file, and send in the password for an encoded sign up link.

The main complaints from cryptographers is the open-source encryption method used by the service, maintains the decryption key on the user's computer. Mega calls this a user-controlled encryption system, using Javascript-enabled browsers (Chrome is recommended by Mega) and a connection to Mega's servers to verify the authenticity of the decryption.

Mega says this is to simplify the encryption process for average users, who don't need to download specialised encryption software, but Nadim Kobeissi, the creator of encrypted chatting service Cryptocat, says this method is widely dismissed as being insecure. Kobeissi's own service dropped a similar user-controlled encryption system in 2011, following complaints from security experts.

“It’s a nice website, but when it comes to cryptography they seem to have no experience... Quite frankly it felt like I had coded this in 2011 while drunk,” says Kobeissi to Forbes.

Following Kobeissi's comments in Forbes, he and Mega co-founder, Bram van der Kolk, have been firing shots over Twitter about the security of each other's services.