Posts tagged: Facebook Bug Bounty

Sep 02 2013

Facebook Vulnerability that Allowed any Photo to be Deleted Earns $12,500 Bounty

Facebook BountyAn Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

Kumar explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

Dec 31 2011

Facebook Debit Card for White Hat Hackers

Facebook Debit CardA few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check.

Some security researchers are getting a customized “White Hat Bug Bounty Program” Visa debit card.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to their accounts.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

“Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, manager of Facebook’s security.

Besides holding cash value, the White Hat card may proffer other advantages. “We might make it a pass to get into a party,” for instance, McGeehan said. “We’re trying to be creative.”

The most Facebook has paid out for one bug report is $5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said.

Szymon Gruszecki, a Polish security researcher and penetration tester; Neal Poole, a junior at Brown University who will be an intern at Facebook next summer; Charlie Miller, a researcher at Accuvant known for finding holes in iOS 5 and Safari, praised the card. “Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs,” he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive.

“Whenever possible we’re going to try to load-in White Hat researchers into products early–as soon as (they are) in production,” McGeehan said. Thus Facebook “will get an early warning on anything they find.”

Jul 30 2011

Facebook To Start Paying Security Bug Bounty

Facebook Bug BountyFacebook is the most recent company to come to the bug-bounty party, officially announcing recently that-

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”

Here’s how it works:

Eligibility:
To qualify for a bounty, you must:

  • Adhere to our Responsible Disclosure Policy
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Facebook security team will assess each bug to determine if qualifies.

Rewards:

  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded

Exclusions:
The following bugs aren’t eligible for a bounty:

  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook’s corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Sign Up: Facebook Official Bug Bounty Page