Facebook To Start Paying Bug Bounties

We’ve covered various stories about companies offering hackers and security researchers bounties for giving them working exploits for their software/website etc. Early runners in the game were – Google Willing To Pay Bounty For Chrome Browser Bugs

Now, 2 years down the road, Facebook has decided it’s a good idea to offer up a $500 bounty for exploits reported to the Facebook security team.

They are claiming they will pay out larger amounts for ‘truly significant’ bugs, but they aren’t qualifying that claim with any guidelines or amounts.

Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook’s security team first.

The company is following Google and Mozilla in launching a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant flaws Facebook will pay more, though company executives won’t say how much.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”

On Friday, Facebook will launch a new Whitehat hacking portal where researchers can sign up for the program and report bugs.

Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.

They have always credited people who made discovered of insecurities on the Facebook platform and gifted them with t-shirts and other goodies, but this is the first move Facebook has made towards paying for exploits.

It is true though, finding a serious bug in a prestigious web property like Facebook could make someone famous overnight. I would like to see more bounty programs and those bounty programs paying out larger amounts.

Although I have to say I don’t believe a flaw in a social network would be worth that much on the black market (as opposed to say a zero-day in the latest version of Apache).

But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.

Google pays between $500 and $3,133.70, depending on the severity of the flaw.

Google started to pay for browser bugs in early 2010, and then in November it expanded the program to cover bugs in its Web properties too.

The Web bug bounty program has helped Google uncover a lot of programming errors in the past eight months, most of which have been in Google’s lesser-known products, a company spokesman said this week.

Google sees its Web program as a big success. “We’re very happy with the success of our vulnerability reward program so far. We’ve already given out $300,000 and have seen a variety of interesting bugs,” the spokesman said in an e-mail message.

Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Google have given out over $300,000 since they started their program in 2010 – initially it was only for Chrome bugs – but they expanded it to cover all of their web properties and they’ve reaped the rewards by being able to fix all kinds of issues.

I foresee Facebook not having to pay out so much, the site is fairly closed and it’s not as expansive as the Google empire. Plus they don’t have any kind of actual software offering like Chrome.

It’s an interesting program though and I hope it leads to Facebook becoming more secure.

Source: Network World

Posted in: Exploits/Vulnerabilities, Hacking News

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

One Response to Facebook To Start Paying Bug Bounties

  1. Nobody_Holme July 30, 2011 at 4:20 pm #

    Just going to chip in that back when facebook was new-ish, you could log in by entering an incorrect password on a machine that’d been on that person’s facebook before, because of, I assume, because I never looked into it because I dont even like the damn thing or want peoples’ details, cookie failure.

    Anyway, the password error page had a link to “my account” still present on the top toolbar at the time, which was active and valid despite the incorrect password.

    And I’m just going to repeat that you had to be on a machine that’d been used for that person’s facebook before. All I did was verify the bug on a workmate’s machine, and to be fair, it was patched out 2 weeks after I found it.

    Anyway, the point is, theres some pretty major mistakes around in facebook’s code, most likely.