Facebook today reported a dramatic increase in 2013 submissions to its bug bounty program, and said that despite reports from researchers that it’s becoming difficult to find severe bugs on its various properties, the social network plans to increase rewards for critical bugs.
“The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Facebook security engineer Collin Greene said. “To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”
Greene said Facebook paid out $1.5 million in bounties last year, rewarding more than 330 researchers at an average payout of $2,204. Submissions, however, skyrocketed 246 percent over 2012 to 14,763, he said. Most of those, however, were not eligible for a bounty; only six percent were rated high severity. Greene said that Facebook has been able to cut its response time for critical vulnerabilities down to six hours. Facebook also released geographic stats on its bug submissions, revealing that researchers in India contributed the largest number of valid bugs (136), while researchers in Russia earned on average more than anyone from the program, $3,961 (38 bugs). U.S.-based researchers, meanwhile, reported 92 bugs and were rewarded on average $2,272.
“Most submissions end up not being valid issues, but we assume they are until we’ve fully evaluated the report,” Greene said. “That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately.”
Most leading technology providers have some sort of vulnerability rewards program. Most, including Google, Yahoo, Github and others reward researchers for finding vulnerabilities in Web-based applications and services. Microsoft, however, is an outlier, paying significant rewards for bypasses of mitigations built into Windows and other Microsoft products.
These companies are in a constant tug of war with vulnerability brokers, exploit vendors and the black market, most of whom pay more for bugs than vendors. Microsoft, for example, has tried to narrow the gap with a $100,000 rewards for mitigation bypasses, but even a low six-figure payout may pale in comparison to what a less than scrupulous researcher could earn on the underground, for example.
Other legitimate programs such as HP’s Zero-Day Initiative offer six-figure paydays at events such as the Pwn2Own contest held in conjunction with the annual CanSecWest conference. This year’s contest paid out $850,000 with French exploit vendor VUPEN cashing in with close to a half-million dollars in prizes.
Facebook’s biggest payout was made in January to Brazilian engineer Reginaldo Silva who earned $33,500 for what Facebook called an XML External Entities Attack. The vulnerability could allow an attacker to read files from a Facebook server to another internal service and execute code. The bug caused Facebook to disable external entities across and audit the code for similar endpoints, Greene said.
“One of the most encouraging trends we’ve observed is that repeat submitters usually improve over time,” Greene said. “It’s not uncommon for a researcher who has submitted non-security or low-severity issues to later find valuable bugs that lead to higher rewards.”
To that end, Green said Facebook is giving researchers a new support dashboard where they can view the status of submissions. Also, the bug bounty has now been extended to Facebook acquisitions Instagram, parse, Atlas and Onavo.