It is much more important to know what sort of patient has a disease than what sort of disease a patient has - Sir William Osler
DIGITAL STORAGE ENTREPRENEUR Kim Dotcom has kicked off a bug reward programme for the Mega file locker service.
Mega launched in January and immediately attracted sharp criticism from security experts.
Its security arrangements were criticised, but Dotcom welcomed hacking attempts on his system, saying that if anyone found problems then he would reward them for proof.
Dotcom has already acknowledged the bug hunters out there, and lined up the reward in earlier messages.
"#Mega and the beauty of open source. You find a bug. We fix it. You recommend something great. We implement it. Loving it," he said. "We look forward to work with the crypto community to make #Mega even better. We get lots of useful input. Thank you."
In a blog posted this weekend Dotcom explained the bug bounty programme and its reward. He said that so far the security holes found have been trifles.
"Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs," he said.
"We have, however, also suffered three direct hits, and we want more! To improve Mega's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw."
That reward is €10,000. That's £8,600 or $13,600, depending on which side of the Atlantic you are standing.
Five types of bugs qualify: remote code execution on Mega servers, including SQL injection; remote code execution on any client browser; any successful attempts to break the cryptographic security model; and any break-ins that affect keys or user data.
The first person that reports the bug is eligible for the prize, and you are only allowed to go public with it once Mega confirms that it has been fixed.
There is a list of things that do not count however, so if you were drawing up a list of things to try it is time to start striking them off. Phishing attacks are a no-no, as is any exploit that is the result of a poorly-chosen user password.
Compromised client machines won't earn you the €10,000, nor will attacks that require a "significant number of server requests", while anyone that is considering physical datacentre access should put away the balaclava and gloves.
Third-party vulnerabilities are also non-payers, as is anything that uses a forged SSL certificate. Don't bother with denial of service attacks either, or anything that uses extreme computing power or a quantum computer to prove, rather than suggest, a weakness to see a payout. µ
Sign up for INQbot – a weekly roundup of the best from the INQ