Monday, April 14, 2014

Facebook shelled out US $1.5 mln to bounty hunters in 2013

Posted by BadGuy in:



Facebook shelled out US $1.5 mln to bounty hunters in 2013



 Guess how much did Facebook deal out in 2013 to those reportage bugs? Take a breath - US $1.5 million. And this year, the amount\'s gonna rise, claimed FB.

Here square measure a number of the highlights from this bounty program:

14,763 submissions received in 2013, a 246% increase from 2012
Of these, 687 were valid & eligible to receive rewards
6% of eligible bugs were classified as high severity
The average reward in 2013 was US $2,204. Most bugs were discovered in non-core properties, like websites operated by firms FB nonheritable



Bug Bounty Highlights and Updates


Bounties at scale

Every one of the almost 15,000 submissions we tend to received last year was reviewed singly by a security engineer, and our team remains little (here's the way to join us: Here  


 Most submissions end up not being valid problems, but we tend to assume they're until we've fully evaluated the report. That angle makes it possible for United States to triage high-priority problems quickly and get the proper resources allotted now. As mentioned higher than, we've managed to take the median fix time for high-severity problems all the way down to just half dozen hours, and we're attending to continue that specialize in efficiency because the program grows. we tend to conjointly use static analysis and alternative automated tools wherever applicable to assist stop engineers from repeating mistakes later.

We're grateful to all or any the researchers around the world UN agency have taken the time to judge our services and report bugs. Researchers in Russia earned the highest quantity per report in 2013, receiving an average of $3,961 for 38 bugs. Bharat contributed the largest number of valid bugs at 136, with an average reward of $1,353. The USA according 92 problems and averaged $2,272 in rewards. Brazil and therefore the United Kingdom were third and fourth by volume, with 53 bugs and forty bugs, respectively, and average rewards of $3,792 and $2,950.


Bug spotlight




Here are number of our favourite reports from last year:

- XML External Entities Attack: we tend to awarded $33,500, our largest payout ever, to Reginaldo forest for locating an XML external entities attack capable of reading files from a Facebook web server to an enclosed service that could run code. we tend to confirmed that constant XXE attack may have been wont to execute code from that service. to deal with the report, we tend to disabled external entities across Facebook, audited the codebase for similar endpoints, rotated the password for the interior service, and ar acting on shifting to a new service entirely. Reginaldo describes a lot of here: 



- ActionScript Filtering Bypass: Embedding external .swf files like YouTube videos can unremarkably be shielded from malicious JavaScript by exploitation Adobe's allowscript=never flag. However, we tend to learned from a report that exploitation jar:javascript:alert(1) inside a .swf file may bypass allow=script=never and execute JavaScript on Firefox. we tend to quickly shifted a set of our .swf files from hosting on facebook.com to our sandbox, fbsbx.com. The workaround was effective until Adobe free a politician fix on january 14: Here .


 UI Confusion Bug: Security is concerning over just code, and it's important to recollect that security bugs can arise from circumstances that aren't extremely technical or advanced. for instance, we tend to awarded a bounty when learning that the UI logic on our Page administrator tool may have caused somebody {attempting|trying|making an attempt} to say no an admin confirmation request to unwittingly add that person as an admin. we tend to fixed the interface to form the intent clearer.


Looking forward

One of the foremost encouraging trends we've observed is that repeat submitters usually improve over time. it is not uncommon for a man of science UN agency has submitted non-security or low-severity problems to later realize valuable bugs that result in higher rewards. to assist encourage the best research, we're making some changes:
We created a new, centralized Support Dashboard to give researchers a simple thanks to view the status of their reports and keep track of the progress: Here 
The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
We're now not attending to reward text injection reports. Rendering text on a page is not a security issue on its own without some kind of extra social engineering, and that we do not reward phishing reports.
We created a reference list of ordinarily according problems that are ineligible: Here 


We will continue to increase bounties over time for high-impact problems. In general, the best targets for high-impact problems as a security man of science are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.


Collin greene could be a Security Engineer at Facebook.



comments powered by Disqus
About Admin of the Blog:

Imran Uddin is the founder of AllTechBuzz .He is a Tech Geek, SEO Expert, Web Designer and a Pro Blogger. Contact Him Here

Follow him @ Google+ | Facebook | Twitter

0 comments:

Post a Comment

Home About-us Privacy Policy Contact-us Services Advertise on this Blog Blogging/SEO/MMO Coaching

The content is strictly copyrighted to the Admin and may not be reproduced without permission.

© 2014 Designed by Imran