$4.3 Million Paid Out by Facebook's Bug Bounty Program - How to, Technology and PC Security Forum | SensorsTechForum.com
NEWS

$4.3 Million Paid Out by Facebook’s Bug Bounty Program

facebook-scamMost multinational companies have bug bounty programs that encourage independent researchers to locate and report vulnerabilities. Facebook doesn’t make an exception. As a matter of fact, the popular social network has spent lots of money on flaw reports since its bounty program was initiated in 2011.

Facebook Spends Millions of Dollars on Bug Reports

As revealed by security researcher Reginaldo Silva, Facebook has squandered approximately $4.3 million on more than 2,400 bug reports, sent by 800 researchers since 2011.

Most of the reported vulnerabilities include

  • XSS (cross-site scripting) bugs
  • CSRF (cross-site request forgery) bugs
  • Business logic flaws (vulnerabilities)

Read More about Facebook XSS Bugs

What Is a Business Logic Vulnerability?

Security-related problems can be described as weaknesses in an application that appear from a broken or missing security control such as authentication, access control, input validation. In short, business logic vulnerabilities are simply ways of using an app’s legitimate processing flow in a way that leads to a negative consequence to the particular organization.

Reginaldo Silva has been awarded the biggest bounty payment – in 2014. This is what Facebook has said about his bug discoveries:

We recently awarded our biggest bug bounty payout ever, and since it’s a great validation of the program we’ve been building and running since 2011, we thought we’d take a few minutes to describe the issue and our response. […] Reginaldo Silva explains in the post linked below that the issue was an XML external entities vulnerability on https://www.facebook.com/openid/receiver.php which could have allowed someone to read arbitrary files on the webserver. Immediately, we implemented a fix by flipping a flag to cause our XML parsing library to disallow the resolution of external entities.

Have a Look at the Whole Post by Facebook

What about other bug bounties? In 2015 spent a little less than 2014 – $936,000. The sum was shared out to 210 researchers in exchange for reporting 526 bugs. The average size of a bug bounty was $1,780. Indian researchers were on the top of the ‘bug bounty chain’ in 2014 and 2015. In addition, experts from Egypt and Trinidad lead the numbers in comparison with US and UK researchers.

According to Reginaldo Silva (originally quoted by TheRegister):

[…] the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook.

The researcher believes that the business logic flaws help Facebook employ rules within its code base and thus eliminate entire classes of flaws. In conclusion, by focusing on high-quality reports and business logic flaws, it’s easier for researchers to classify vulnerabilities.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...