

Mega.co.nz: 1st week report of vulnerability reward program - Mithrandir
https://mega.co.nz/#blog_8

======
taproot
The smugness of this post reaks. Rather unwarranted considering the number of
XSS vulns found, I also question their classification of these, XSS in this
system entirely breaks their "encryption as a mass product" philosophy.
(provided you give them the benefit of the doubt and assume its for the users
and not their protection)

Taking they want to tout this system as security focused I'm quite amazed they
seem to not have scrubbed a single output. I highly doubt they fixed it
properly either.

------
lemcoe9
This definitely seems like the best way they could handle the recent coverage
of their security.

