Most multinational companies have bug bounty programs that encourage independent researchers to locate and report vulnerabilities. Facebook doesn’t make an exception. As a matter of fact, the popular social network has spent lots of money on flaw reports since its bounty program was initiated in 2011.
Facebook Spends Millions of Dollars on Bug Reports
As revealed by security researcher Reginaldo Silva, Facebook has squandered approximately $4.3 million on more than 2,400 bug reports, sent by 800 researchers since 2011.
Most of the reported vulnerabilities include
- XSS (cross-site scripting) bugs
- CSRF (cross-site request forgery) bugs
- Business logic flaws (vulnerabilities)
Read More about Facebook XSS Bugs
What Is a Business Logic Vulnerability?
Security-related problems can be described as weaknesses in an application that appear from a broken or missing security control such as authentication, access control, input validation. In short, business logic vulnerabilities are simply ways of using an app’s legitimate processing flow in a way that leads to a negative consequence to the particular organization.
Reginaldo Silva has been awarded the biggest bounty payment – in 2014. This is what Facebook has said about his bug discoveries:
We recently awarded our biggest bug bounty payout ever, and since it’s a great validation of the program we’ve been building and running since 2011, we thought we’d take a few minutes to describe the issue and our response. […] Reginaldo Silva explains in the post linked below that the issue was an XML external entities vulnerability on https://www.facebook.com/openid/receiver.php which could have allowed someone to read arbitrary files on the webserver. Immediately, we implemented a fix by flipping a flag to cause our XML parsing library to disallow the resolution of external entities.
Have a Look at the Whole Post by Facebook
What about other bug bounties? In 2015 spent a little less than 2014 – $936,000. The sum was shared out to 210 researchers in exchange for reporting 526 bugs. The average size of a bug bounty was $1,780. Indian researchers were on the top of the ‘bug bounty chain’ in 2014 and 2015. In addition, experts from Egypt and Trinidad lead the numbers in comparison with US and UK researchers.
According to Reginaldo Silva (originally quoted by TheRegister):
[…] the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook.
The researcher believes that the business logic flaws help Facebook employ rules within its code base and thus eliminate entire classes of flaws. In conclusion, by focusing on high-quality reports and business logic flaws, it’s easier for researchers to classify vulnerabilities.