Facebook awards $33,500 bounty for critical flaw
Posted on 23 January 2014.
Facebook has announced that it has awarded $33,500 - their biggest bug bounty payout to date - to a Brazilian security researcher that discovered a remote code execution flaw affecting Facebook's servers.

Reginaldo Silva initially reported to the company his discovery of an XML external entities (XXE) vulnerability which would allow attackers to read arbitrary files on their webserver.

This was in November 2013, but he found the bug a year earlier while examining how Drupal handled OpenID. It took him a year to realize that it could affect other services using the popular authentication standard, and he began his testing.

Once he discovered that Facebook was also vulnerable, he submitted his findings and PoC exploit code to the company's security team.

"The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees," the team explained in a post.

A short term fix was produced in less than four hours, and it was immediately deployed across the company's webservers. Silva was notified, but was disappointed: he believed that the bug could be escalated to a Remote Code Execution vulnerability, but was now unable to prove it.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not," he wrote. "I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers.

"We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators," the team concluded and, after having received permission from Silva, shared the amount of the prize he received with the public.


Implementing an effective risk management framework

How do we balance the benefit of the free flow of information with the risk of inappropriate access and/or disclosure? What are the consequences of not doing so?

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Mar 26th