Facebook To Start Paying Bug Bounties

We’ve covered various stories about companies offering hackers and security researchers bounties for giving them working exploits for their software/website etc. Early runners in the game were – Google Willing To Pay Bounty For Chrome Browser Bugs

Now, 2 years down the road, Facebook has decided it’s a good idea to offer up a $500 bounty for exploits reported to the Facebook security team.

They are claiming they will pay out larger amounts for ‘truly significant’ bugs, but they aren’t qualifying that claim with any guidelines or amounts.

Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook’s security team first.

The company is following Google and Mozilla in launching a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant flaws Facebook will pay more, though company executives won’t say how much.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”

On Friday, Facebook will launch a new Whitehat hacking portal where researchers can sign up for the program and report bugs.

Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.

They have always credited people who made discovered of insecurities on the Facebook platform and gifted them with t-shirts and other goodies, but this is the first move Facebook has made towards paying for exploits.

It is true though, finding a serious bug in a prestigious web property like Facebook could make someone famous overnight. I would like to see more bounty programs and those bounty programs paying out larger amounts.

Although I have to say I don’t believe a flaw in a social network would be worth that much on the black market (as opposed to say a zero-day in the latest version of Apache).

But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.

Google pays between $500 and $3,133.70, depending on the severity of the flaw.

Google started to pay for browser bugs in early 2010, and then in November it expanded the program to cover bugs in its Web properties too.

The Web bug bounty program has helped Google uncover a lot of programming errors in the past eight months, most of which have been in Google’s lesser-known products, a company spokesman said this week.

Google sees its Web program as a big success. “We’re very happy with the success of our vulnerability reward program so far. We’ve already given out $300,000 and have seen a variety of interesting bugs,” the spokesman said in an e-mail message.

Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Google have given out over $300,000 since they started their program in 2010 – initially it was only for Chrome bugs – but they expanded it to cover all of their web properties and they’ve reaped the rewards by being able to fix all kinds of issues.

I foresee Facebook not having to pay out so much, the site is fairly closed and it’s not as expansive as the Google empire. Plus they don’t have any kind of actual software offering like Chrome.

It’s an interesting program though and I hope it leads to Facebook becoming more secure.

Source: Network World

Posted in: Exploits/Vulnerabilities, Hacking News

, , ,

Latest Posts:

tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.

One Response to Facebook To Start Paying Bug Bounties

  1. Nobody_Holme July 30, 2011 at 4:20 pm #

    Just going to chip in that back when facebook was new-ish, you could log in by entering an incorrect password on a machine that’d been on that person’s facebook before, because of, I assume, because I never looked into it because I dont even like the damn thing or want peoples’ details, cookie failure.

    Anyway, the password error page had a link to “my account” still present on the top toolbar at the time, which was active and valid despite the incorrect password.

    And I’m just going to repeat that you had to be on a machine that’d been used for that person’s facebook before. All I did was verify the bug on a workmate’s machine, and to be fair, it was patched out 2 weeks after I found it.

    Anyway, the point is, theres some pretty major mistakes around in facebook’s code, most likely.