Just one week after launching a new ethical hacking vulnerability rewards program, the team behind file hosting service Mega.co.nz have confirmed that the initiative has yielded results.
In a blog post published February 9, Mega announced that it had received no less than seven vulnerability reports from various computer aficionados.
While the identified vulnerabilities are no doubt of importance for the security of the site, Mega has noted that the exploits are of a relatively simple level, and expressed hope that future reports will address higher-level and conceptual issues.
"It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction," reads the blog.
The vulnerabilities are divided into six different categories based on their individual nature and severity, with severity class VI referring to those most serious "fundamental and generally exploitable cryptographic design flaws".
According to mega, zero severity class VI exploits have yet been identified. Nor have any exploits that fall into severity class V – which refers to "remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches" – been reported.
One class IV vulnerability was submitted however, while three class III vulnerabilities and one class II vulnerability were also received.
Participants in the program also identified two less critical, class I vulnerabilities, which are lower-impact or purely theoretical scenarios.
Initiatives such as vulnerability rewards programs are becoming an increasingly popular option for organisations looking to turn the tables on cybercriminals, by making use of the online hacking community to test their secure websites and achieve maximum vulnerability management.
Ethical hacking is also a very practical option for private organisations aiming to ensure their private servers are as secure as possible without compromising on productivity or risking potential downtime.
By undertaking a Red Cell evaluation, a company can simulate a legitimate cyber-attack in order to determine where potentially exploitable vulnerabilities are being presented.