If you discover a security vulnerability in our code or infrastructure, report it to us and get awarded up to €10,000 per vulnerability, depending on its complexity and impact potential.
We strive to be a strong link in your security chain, leveraging the benefits of zero-knowledge encryption to secure your data and communications. However, nobody is perfect, and we’re not either. That’s why we’d love to hear from you if you have discovered a qualifying vulnerability in our code or infrastructure.
Before contacting us, please read all the information on this page and follow the instructions.
We value reports that are well-structured and explain the issues clearly. That’s because we can reproduce and understand the problem, and you can receive higher payouts faster. We recommend reading this post for tips on how to write bug bounty reports. When your report is ready, please send it to firstname.lastname@example.org
Compromised static CDN node (*.static.mega.co.nz)
Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded.
Compromised user storage node (*.userstorage.mega.co.nz)
Let’s assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don’t have its key. Can you manipulate its content so that it still downloads without an error?
Compromised core infrastructure (*.api.mega.co.nz)
This is the most extreme scenario. Let’s assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?
MEGA classifies vulnerabilities according to severity, on a scale from 1 to 6.
Severity class 6
Fundamental cryptographic design flaws that are generally exploitable
Severity class 5
Remote code execution on core MEGA servers, such as application programming interface, database, and root clusters or major access control breaches
Severity class 4
Cryptographic design flaws that can be exploited only after compromising server infrastructure, either live or post-mortem
Severity class 3
Generally exploitable remote code execution on client browsers (cross-site scripting)
Severity class 2
Cross-site scripting that can be exploited only after compromising the API server cluster or mounting a man-in-the-middle attack, for example by issuing a fake TLS/SSL certificate plus DNS/BGP manipulation
Severity class 1
All lower-impact or purely theoretical vulnerability scenarios
We award up to EUR 10,000 per vulnerability, depending on its complexity and impact potential.
High-quality bug and vulnerability reports that are well-structured, and documented with a proof of concept will be rewarded at the top end of each severity class.
The “first” person to report a vulnerability that’s reproducible and verifiable by MEGA will receive an award.
The decision on whether your report qualifies and how much you will be awarded is at our discretion. While we will be fair and generous, by submitting a bug report, you agree and accept that our verdict is final.
We aim to reply to reports within 12 hours of receiving them. If you don’t hear from us within this timeframe, please follow up via email.
Responsible disclosure policy
Please adhere to the industry standard responsible disclosure policy, with a 90-day time period from when the reported vulnerability is verified and acknowledged, to give us time to test and deploy any fixes.