Record year for Facebook bug hunters
Posted on 04 April 2014.
With nearly 15,000 submissions - 687 of which were valid and eligible for awards - 2013 has been a record year for Facebook's bug bounty program. Add to this the fact that the company paid out $1.5M to 330 researchers across the globe, you can say that this has been a good year for everyone involved.

"The average reward in 2013 was $2,204, and most bugs were discovered in non-core properties, such as websites operated by companies we've acquired," shared Collin Greene, Security Engineer at Facebook.

"6% of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, our median response time for these high-severity issues was about 6 hours," he added.

Submissions from Indian researchers were most numerous (136) in 2013, followed by those from US, Brazil and UK researchers (92, 53 and 40 bugs found respectively). But Russian researchers have, as a group, earned the most from their submissions - an average of $3,961 for 38 bugs.

Brazilian researcher Reginaldo Silva got the biggest award to date - $33,500 - for discovering a remote code execution flaw affecting Facebook's servers.

"Security is about more than just code, and it's important to remember that security bugs can arise from circumstances that aren't highly technical or complex," Greene pointed out. "For example, we awarded a bounty after learning that the UI logic on our Page administrator tool could have caused someone attempting to decline an admin confirmation request to inadvertently add that person as an admin. We fixed the interface to make the intent clearer."

Greene ended with several announcements about changes to the bug bounty program. Instagram, Parse, Atlas, and Onavo are now also fair game, but text injection reports will no longer be rewarded.

Bounties for high-impact issues will increase as time passes. "In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM," he concluded.









Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //