$4.3 Million Paid Out by Facebook's Bug Bounty Program - Como, Tecnologia e Fórum de Segurança PC | SensorsTechForum.com

$4.3 Million Paid Out by Facebook’s Bug Bounty Program

facebook-golpeMost multinational companies have bug bounty programs that encourage independent researchers to locate and report vulnerabilities. Facebook doesn’t make an exception. De fato, the popular social network has spent lots of money on flaw reports since its bounty program was initiated in 2011.

Facebook Spends Millions of Dollars on Bug Reports

As revealed by security researcher Reginaldo Silva, Facebook has squandered approximately $4.3 million on more than 2,400 bug reports, sent by 800 researchers since 2011.

Most of the reported vulnerabilities include

  • XSS (cross-site scripting) insetos
  • CSRF (cross-site request forgery) insetos
  • Business logic flaws (vulnerabilidades)

Leia mais sobre Facebook XSS Bugs

What Is a Business Logic Vulnerability?

Security-related problems can be described as weaknesses in an application that appear from a broken or missing security control such as authentication, access control, input validation. Em resumo, business logic vulnerabilities are simply ways of using an app’s legitimate processing flow in a way that leads to a negative consequence to the particular organization.

Reginaldo Silva has been awarded the biggest bounty payment – in 2014. This is what Facebook has said about his bug discoveries:

We recently awarded our biggest bug bounty payout ever, and since it’s a great validation of the program we’ve been building and running since 2011, we thought we’d take a few minutes to describe the issue and our response. [...] Reginaldo Silva explains in the post linked below that the issue was an XML external entities vulnerability on https://www.facebook.com/openid/receiver.php which could have allowed someone to read arbitrary files on the webserver. Imediatamente, we implemented a fix by flipping a flag to cause our XML parsing library to disallow the resolution of external entities.

Have a Look at the Whole Post by Facebook

What about other bug bounties? No 2015 spent a little less than 2014 – $936,000. The sum was shared out to 210 researchers in exchange for reporting 526 insetos. The average size of a bug bounty was $1,780. Indian researchers were on the top of the ‘bug bounty chain’ in 2014 e 2015. além do que, além do mais, experts from Egypt and Trinidad lead the numbers in comparison with US and UK researchers.

According to Reginaldo Silva (originally quoted by TheRegister):

[…] the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook.

The researcher believes that the business logic flaws help Facebook employ rules within its code base and thus eliminate entire classes of flaws. Em conclusão, by focusing on high-quality reports and business logic flaws, it’s easier for researchers to classify vulnerabilities.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar