Facebook Bug Bounty Program Makes Largest Payout To Date

According to ZDNet, Facebook uses OpenID providers to verify users’ identities when they forget their passwords for the social network.

Facebook wrote in a post on its Facebook Bug Bounty page:

We recently awarded our biggest bug bounty payout ever, and since it’s a great validation of the program we’ve been building and running since 2011, we thought we’d take a few minutes to describe the issue and our response.

In November, we were reading through incoming bug reports and came across a claim we wanted to investigate right away: arbitrary file reads. The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task — triggering notifications to our on-call employees.

Only 3.5 hours after Reginaldo hit send on his report, the short-term fix was live. The next step was to better understand the issue: how it came about, whether it existed anywhere else in the code base, and any other steps we wanted to take. This part of the process is exciting because there’s potential to find related issues or other areas to investigate.

At this point, we wrote back to Reginaldo to applaud him for his file read vulnerability. We discussed the matter further, and, due to a valid scenario he theorized involving an administrative feature we are scheduled to deprecate soon, we decided to reclassify the issue as a potential RCE (remote command execution) bug. We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators. As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.

More technical descriptions of the bug and Facebook’s solutions are available both in the Facebook Bug Bounty post and the blog post by Silva, who wrote:

A lot of bug bounty programs around the Web have a rule that I think is very sensible: Whenever you find a bug, don’t linger on messing around. Report the bug right away and the security team will consider the worst-case scenario and pay accordingly. However, I didn’t have much experience with the security team at Facebook, and I didn’t know if they would consider my bug as an RCE or not. Since I didn’t want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE, and then work on it while it was being fixed. I figured that would be OK because most bugs take a long time to be processed, and so I had plenty of time to try to escalate to an RCE while still keeping the nice imaginary white hat I have on my head. So after writing the bug report, I decided to go out and have lunch, and the plan was to continue working when I came back.

However, I was wrong again. Since this was a very critical bug, when I got back home from lunch, a quick fix was already in place, less than two hours after the initial report was sent. Needless to say, I was very impressed and disappointed at the same time, but since I knew just how I would escalate that attack to an RCE bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I’m glad I did that. After a few back-and-forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers.

So this is how the first high-impact bug I ever found was the entry point for an attack that probably got one of the highest payouts of any Web security bug bounty program. Plus, and more importantly, I get to brag that I broke into Facebook … Nice, huh? Oh, by the way, the Facebook security team wrote a post to tell their side of the story.

Readers: Have you ever tried to report bugs to Facebook?

Images courtesy of Shutterstock.