Facebook doubles bounties for bugs in ads code
Facebook has announced that all vulnerabilities affecting the company’s ads code will now be worth twice as much to the bug hunters who find and responsibly disclose them via Facebook’s bug bounty program.
If you’re asking why the bounties were increased, the answer is simple: Facebook’s own security team recently went through this code and found and fixed as many vulnerabilities they could find, and now they are looking to get information from researchers looking at the code with a fresh set of eyes.
“Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” noted Collin Greene, a Security Engineer at Facebook.
He also shared some pointers that could help point the bug hunters’ sights in the right direction, and examples of vulnerabilities the company’s workers have found so far.
“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” he noted.
The company also published A Bounty Hunter’s Guide to Facebook, and step-by-step how-to on submitting bugs that includes pointers on what to include in the submission, how to make it easier for Facebook to reproduce the bug, how to test bugs, and more.