Facebook Bug Bounty Submissions Climb in 2014

Facebook released final numbers on 2014 submissions and payouts from its bug bounty program, showing continued growth in both areas.

  1. Less than two months into the year and Facebook said it has already validated more than 100 submissions to its bug bounty, demonstrating a consistently growing interest in such programs industry wide.

“Report volume is at its highest levels, and researchers are finding better bugs than ever before,” said Colin Greene, security engineer at Facebook.

Today, the social network reported its final bug bounty submission and payout numbers for 2014. Most notable: 61 percent of eligible vulnerability submissions were rated high severity by Facebook; that number eclipses 2013’s numbers by 49 percent.

Overall, Facebook said it received 17,011 submissions, a 16 percent jump year over year, resulting in more than $1.3 million paid out to 321 researchers worldwide, an average payout of $1,800. Of the $1.3 million paid out, more than $250,000 went to the top five participants. Since the bounty program began in 2011, Facebook said it has paid out more than $3 million.

Last week at the Kaspersky Lab Security Analyst Summit, HackerOne chief policy officer Katie Moussouris said it’s important that vulnerability disclosure programs directly feed an organization’s software development lifecycles. She also stressed the importance of strategic thinking with regard to bounty programs, for example, concentrate not only on finding and fixing one-off bugs, but also focus on eliminating classes of vulnerabilities and the development of mitigations as well.

For its part, Facebook said its bounty program helped uncover a number of potentially serious vulnerabilities, including the discovery of hidden input parameters causing downstream issues.

“After we fixed the instance from this report, we also fixed a few other spots and made improvements around duplicate parameters so that issues like this shouldn’t happen again,” Greene said.

Greene also provided another example where legacy REST API calls were allowed to be made on behalf of any Facebook user because of a misconfiguration issue. An attacker would need only the user ID which could be obtained from the user’s profile or Graph API, Green said.

Facebook has invested continuously in its bounty program. Last fall, it announced that it was adding an incentive for researchers to find bugs in its ads code. In particular, Facebook was hoping for some additional eyeballs on its ads code user interface, which includes the Ads Manager and Power Editor tools that enable users to edit and upload bulk ads—a number of permissions-based security issues arose in both of those areas, Facebook said. Also, its Ads API is an area Facebook said was also in scope.

More than a year ago, Facebook paid out its largest bounty to date, $33,500 to Brazilian researcher Reginaldo Silva for a remote code execution vulnerability he reported in the OpenID implementation in Facebook that paved the way for attackers to pull of XXE attacks.

Suggested articles