In a follow-up discussion on Twitter between Mega's chief programmer Bram van der Kolk and Nadim Kobeissi, developer of the encrypted instant messaging program Cryptocat, Kobeissi said: "Dude, your hashing algorithm has collisions in the space 2^64, and you think that 'doesn't qualify'???"
As part of the vulnerability reward program announced on Saturday, Mega has also launched a brute-force challenge that offers the maximum reward of $13,600 to anyone who decrypts a particular file encrypted with Mega's encryption scheme or to anyone who can crack the password from a hash included in a sign-up confirmation link.
Two weeks ago, a researcher named Steve Thomas, known online as "Sc00bz," released a tool called MegaCracker that can extract password hashes from Mega sign-up confirmation links sent via email and can attempt to crack them using a dictionary attack.
In response, Mega's administrators said at the time that the tool is "an excellent reminder not to use guessable/dictionary passwords." The new password hash cracking challenge is likely aiming to underscore that point by using a very strong password that cannot easily be recovered using dictionary attacks.
The value of each reward will be decided on a case by case basis by the Mega administrators depending on the flaw's complexity and potential impact. "The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final," the Mega administrators said.
If the same bug is reported by multiple individuals, only the person who reported it first will earn the reward. After the bug has been patched, the reporter is free to disclose it to the general public.
Sign up for CIO Asia eNewsletters.