Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company.
The minimal reward amount was of $500. White hats were urged to search for Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code Injection bugs, and not to bother with spam or social engineering techniques, DoS vulnerabilities, bugs in Facebook’s corporate infrastructure and vulnerabilities in third-party websites or apps.
Still, when the social network’s security team received a tip from a researcher about a vulnerability in the company’s own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network.
There are quite a few bug bounty programs instituted by tech companies such as Google and Mozilla, but Facebook has become the first firm that gave formal permission to white hats to target its networks.
Given that Facebook has a strong incentive to protect the data belonging to its 900 million users, and the fact that data breaches have become a disturbingly common occurrence in the last two years or so, the step seems like a logical one.
I suppose nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook’s security-incident response unit, stated for Bloomberg that if there’s a million-dollar bug, they will pay it out.
While there’s always a possibility for researchers to disrupt the social network’s stability and availability with their poking around, the fact is that Facebook’s network’s are probably constantly under attack as it is, so it could happen anyway.
In my opinion, Facebook has made the right decision. It seems to me that it’s better to know that the hull of your boat has structural weaknesses and to try and reinforce it, than sail around not knowing when it will be breached.
“Facebook’s bug bounty program was a nice step forward, security-wise, for the company, and one that paid off handsomely in terms of the avoidance of potential security breaches. And they didn’t pay anything close to the cost of breach mitigation to do it, pennies by comparison,” Cameron Camp, security researcher with ESET commented for Help Net Security.
“Now they are poised to expand the program, which has to be a step in the right direction. Trusting your development team to test every possible iteration yields certain results, but opening up the challenge to millions of security folks out across the web means millions of minds can potentially be looking for bugs, and that has to be a good thing.”