Instructions on how to report a vulnerability
We strive to be a strong link in your security chain, leveraging the benefits of zero-knowledge encryption to secure your data and communications. However, nobody is perfect, and we’re not either. That’s why we’d love to hear from you if you have discovered a qualifying vulnerability in our code or infrastructure.
Before contacting us, please read all the information on this page and follow the instructions.
How do I report vulnerabilities?
We value reports that are well-structured and explain the issues clearly. That’s because we can reproduce and understand the problem, and you can receive higher payouts faster. We recommend reading this post for tips on how to write bug bounty reports.
When your report is ready, please send it to bug@mega.nz
What are qualifying vulnerabilities?
- Remote code execution on any of our servers, including SQL injection flaws.
- Server-side request forgeries.
- Remote code execution on any client browser; for example, through cross-site scripting.
- Anything that breaks our cryptographic security model and allows unauthorised remote access to keys or data, or manipulation of them.
- Access control and authentication bypasses which could lead to unauthorised overwriting and deletion of keys or user data.
- Any issue that jeopardises user account data in cases where the associated email address is compromised.
What are out-of-scope vulnerabilities?
- Anything that actively requires user interaction, such as phishing and social engineering attacks.
- Weak user account passwords.
- Vulnerabilities that require a large number of server requests to exploit.
- Attacks requiring a compromised client machine.
- Issues occurring through the use of unsupported or outdated client browsers.
- Any issue requiring physical data centre access (see below for limited-scope scenarios that allow for compromised servers).
- Vulnerabilities in third-party operated services, such as resellers.
- Any overloading, resource exhaustion and denial-of-service type of attacks.
- Any scenario relying on forged SSL certificates.
- Anything requiring extreme computing power (2^60 cryptographic operations or more) or a working quantum computer, including allegedly predictable random numbers (if you are able to show an actual weakness rather than general conjecture, we may consider that as a qualifying bug report).
- Any bugs or issues unrelated to security vulnerabilities.
What are some special scenarios I can report?
Compromised static CDN node (*.static.mega.co.nz)
Let’s assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security?
Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded.
Compromised user storage node (*.userstorage.mega.co.nz)
Let’s assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don’t have its key. Can you manipulate its content so that it still downloads without an error?
Compromised core infrastructure (*.api.mega.co.nz)
This is the most extreme scenario. Let’s assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?
How are vulnerabilities classified?
MEGA classifies vulnerabilities according to severity, on a scale from 1 to 6.
- Severity class 6
Fundamental cryptographic design flaws that are generally exploitable. - Severity class 5
Remote code execution on core MEGA servers, such as application programming interface, database, and root clusters or major access control breaches. - Severity class 4
Cryptographic design flaws that can be exploited only after compromising server infrastructure, either live or post-mortem. - Severity class 3
Generally exploitable remote code execution on client browsers (cross-site scripting). - Severity class 2
Cross-site scripting that can be exploited only after compromising the API server cluster or mounting a man-in-the-middle attack, for example by issuing a fake TLS/SSL certificate plus DNS/BGP manipulation. - Severity class 1
All lower-impact or purely theoretical vulnerability scenarios.
How much will I be rewarded?
We reward up to EUR 10,000 per vulnerability, depending on its complexity and impact potential.
High-quality bug and vulnerability reports that are well-structured, and documented with a proof of concept, will be rewarded at the top end of each severity class.
Who is eligible for a reward?
The first person to report a vulnerability that’s reproducible and verifiable by MEGA will receive a reward.
Who decides on the validity of a vulnerability report?
The decision on whether your report qualifies and how much you will be rewarded is at our discretion. While we will be fair and generous, by submitting a bug report, you agree to and accept that our verdict is final.
How long does it take to hear about a vulnerability I have reported?
We aim to reply to reports within a few days of receiving them. If you don’t hear from us within this timeframe, it could indicate that your report is erroneous or lacks sufficient detail to be considered properly. Please follow up via email if you’re confident that your report is complete and correct.
Responsible disclosure policy
Please adhere to the industry standard responsible disclosure policy, with a 90-day time period from when the reported vulnerability is verified and acknowledged, to give us time to test and deploy any fixes.