lswcap
Most IT companies, such as Google and Apple, have established bug rewards programs that allow them to receive prizes for reporting service vulnerabilities. Facebook has also operated its Bug Bounty Program since 2011, marking its 10th anniversary in 2020. On the 10th anniversary, Facebook’s security engineering manager Dan Gurfinkel is drawing attention to the history, present and future of the program.
Participants in the Facebook Bug Reward Program contribute to improving Facebook security and privacy by reporting undiscovered vulnerabilities. To fix problems quickly and protect the Facebook community, a bug bounty program can help, he said, and that the rewards paid will be the motivation to promote higher quality security research.
Over the past 10 years, more than 50,000 researchers have participated in the program, of which 1,500 have been rewarded. The number of researchers who received compensation reached 107 nationalities. Some researchers have joined the Facebook security team and engineering team and continue to protect the Facebook platform. Dan Guppingel is one such case.
Looking at the status of the Facebook Bug Reward Program as of 2020, 130,000 reports have been reported to the Facebook Bug Reward Program since 2011, of which 6,900 were rewarded. Of the 17,000 reports reported in 2020, more than 1,000 were eligible for compensation. In addition, in 2020, more than $1.98 million in rewards were paid to researchers from more than 50 countries, and the one-year compensation has been hitting an all-time high for the past three years. India, Tunisia and the United States are the top 3 countries that received compensation in 2020.
When Facebook reviews a report about a problem that needs to be fixed, it not only looks at the content of the submitted report, but also checks the areas at the root of the code to better understand the problem. Through such active research, it is being able to discover improvements to further protect user security and personal information. In the 10th anniversary of the bug reporting program, Guppingel recognized the impact the researcher community has contributed to Facebook protection, and introduced two reports that helped discover and address important issues.
One of the reports is from researchers who participated in the 2020 Facebook bug bounty program, and the other from the Google vulnerability research project, Project Zero. When any bugs were quickly patched by the team, they provided additional protection through a follow-up review that combines automatic detection of problems and manual code reviews, and there is no evidence of abuse.
The first report was reported in early 2020. Selamet Hariyanto found a bug in CDNs serving Facebook users around the world with an expired URL. The impact of the reported bug itself was small and was fixed immediately, but an internal research team revealed that a brilliant hacker could have executed remote code. Facebook paid him $800,000 because the Facebook bug bounty program determines the amount of compensation based on the maximum impact through the report, even if the problems reported in the report first were less impacted.
The second report is an instant messenger vulnerability reported by Project Zero Team Natalie Silvanovich in the fall of 2020. Specifically, it was a vulnerability that an attacker could log in to the messenger and send messages to other messenger users while entering the messenger app for Android. Due to this vulnerability, there was a risk of intercepting voice while the other party’s device was listening until it was canceled, restricted, or disappeared. To make this attack possible, the attacker had to have the authority to talk to the other party, such as making friends with the other party and Facebook. It also required an attacker to manipulate his messenger app and send custom messages using bus engineering tools.
After correcting the reported vulnerability on the server side, applications that use the same protocol for Facebook 1:1 calls also solve the vulnerability. The report also paid $600,000, the third most expensive program ever to consider the greatest possible impact.
At the beginning of its establishment in 2011, the Facebook bug reward program was only targeting web pages, but as of 2020, it targets mobile apps, Instagram, WhatsApp, and Oculus. As the threat of attack increases year by year, Facebook is said to be focusing on three things.
First, countermeasures against new risks. We are developing ways to instruct and incentivize new risk area security investigations, such as abuse of Facebook data by app developers, third-party applications that can access Facebook data, or security bugs on external websites.
Second, provide better research tools. We plan to provide tools to the community to make finding Facebook bugs and making it easier for researchers to get more rewards. The recently released tool (Facebook Bug Description Language) also explains that as part of this effort, you can quickly build a test environment to reproduce bugs. In addition, Hacker Plus, an in-house rewards program that evaluates based on researcher contribution and grants benefits such as limited invitations to high-ranking researchers to bonuses, badges, and early access to pre-launch products and features, bug bounty events, is also available in October 2020. It was established in and has paid a $40,000 bonus to date.
Third, building a network of researchers. We plan to build a network of researchers through a hacking event or a meeting of researchers (BountyCon) participating in the Facebook bug reporting program. Related information can be found here .
Add comment