Facebook Hands Over £25,000 To Bug Hunters

It has taken just three weeks for Facebook to realise the benefits of its bug bounty program, after the social networking giant announced it had so far paid out $40,000 (£24,509) to bug hunters.

It was last month when Facebook began following the lead of Google, Microsoft, Mozilla and others, when it launched a programme offering to pay a bounty for certain carefully defined security bugs.

The bounty would be for external “whitehat” security researchers, who would work alongside Facebook’s own internal security team.

Bug Hunting

At that time, Facebook said it would pay a typical bounty of $500 (£306) to the first person to responsibly disclose a flaw that “could compromise the integrity or privacy of Facebook user data”. Typical example bugs included cross-site scripting flaws, cross-site request forgeries and remote code injection. Facebook said the bounty would be increased for higher-risk flaws.

And it seems that security researchers have found a number of vulnerabilities.

“A few weeks ago, we took that program to the next level – we started paying rewards to those who report bugs to us,” wrote Facebook’s chief security officer, Joe Sullivan, in a blog post. “The program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 (£4,290) for six different issues flagged. It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring.”

Serious Flaw?

But it seems that at least one of these whitehat researchers has come across a very serious vulnerability indeed, after Facebook admitted it had shelled out $5,000 (£3,063) on a single bug bounty.

“In fact, we’ve already paid a $5,000 bounty for one really good report,” wrote Sullivan. “On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity.”

“The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” wrote Sullivan.

But Sullivan warned that Facebook has no plans to extend its bug bounty program to third-party apps and websites that utilise the Facebook platform to connect to people’s Facebook identities.

“Unfortunately, that’s just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform,” wrote Sullivan. “We have a dedicated Platform Operations team that scrutinises these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications.”

“At the end of the day, we feel great knowing that we’ve launched another strong effort to help provide a secure experience on Facebook,” he wrote. “A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment.”

More Money

Facebook is relatively late compared to others in making use of external whitehat researchers in order to beef up its security protocols. Google and Mozilla have run similar schemes that have proved very successful in rooting out potential vulnerabilities.

But at least one security expert is worried that, despite Facebook’s reward program, it would be more profitable for researchers to sell their findings on the underground market.

So said Graham Cluley, senior technology consultant at Sophos, speaking to the BBC. He warned that many criminally-minded bug spotters might get more for what they find if they sell the knowledge on an underground market.

He also warned that the bug bounty scheme might be missing the biggest source of security problems on Facebook.

“They’re specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like,” he said. “It’s those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people.”

Cluley said that Facebook should consider setting up a “walled garden” that only allows vetted applications from approved developers to connect to the social networking site.

Considering there are more than a million developers registered on the platform, it is “hardly surprising” that the site is “riddled” with rogue applications and viral scams, Cluley said in an open letter to Facebook in April.