Facebook Pays Out Record Reward
Written by Alex Armstrong   
Wednesday, 29 January 2014

Facebook has paid out $33,500 for a security bug, its biggest ever reward. The record-breaking amount reflects how the bug was handled as well as its potential severity.

Facebook's Bug Bounty program was initiated in 2011 and in its own words: provides recognition and compensation to security researchers practicing responsible disclosure.

 

 

 

Facebook attracted a torrent of negative publicity last year when it refused to pay out a bounty to a security researcher who posted a message on Mark Zuckerberg's personal Facebook page in order to prove the existence of a serious security flaw. His approach was deemed to be an irresponsible method of disclosure.

The latest payout was made to Brazilian computer engineer Reginaldo Silva for reporting an  XML External Entity (XXE) flaw involving OpenID that would enable arbitrary file reads. It is noteworthy not only for being Facebook's largest to date, at $35,000 beating the previous record of $20,000, but also because it is being used to provide a model of how to interact with Facebook's security team.

According to the post on the Facebook Bug Bounty page the report submitted by Silva was well written and included proof of concept code. The team was able to implement a one-line fix:

 libxml_disable_entity_loader(true)

that caused the XML parsing library to disallow the resolution of external entities.

That could have been the end of the story, in which case Silva would have earned a reward but perhaps not a record-breaking one. However, while impressed by the speed of the fix, only three and a half hours from his initial report, Silva was aware that the flaw had the potential for Remote Code Execution and in further discussion with Facebook was able to convince them of its RCE status.

If you want to know the full story read Silva's detailed account of the bug, which he originally discovered in Drupal and then inside Google servers and provides some of the code he used to demonstrate its RCE potential to Facebook.

As the Facebook post makes clear, the amount of the reward reflects not only the severity of the bug, but also in the way in which it was presented - promptly and with sufficient detail to make it easy to reproduce in the first instance, and then escalated, in a purely theoretical, white-hat, manner in co-operative discussion with the Facebook Bug Bounty team.

 

 

More Information

Facebook Bug Bounty

How I found a Remote Code Execution flaw affecting Facebook's servers 

Related Articles

Facebook Refuses Bounty, Internet Raises Over $10K

Microsoft and Facebook Launch Internet Bug Bounty Scheme

Google Offers Cash For Security Patches

Bounty Hunter Awarded $100,000

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

blog comments powered by Disqus

Banner


White House - Programmers Don't Have To Wear Suits
25/08/2014

The recently formed US Digital Service is aimed at making digital interaction with the government less like going to the dentist. Part of the change that the new head brings is the relaxed attitude to [ ... ]



Firefox Features From Experimental To Released
04/09/2014

Firefox 32 has been launched with features for improved performance and increased security. Firefox 33, with a slew of developer tool enhancements is moving to the beta channel. Meanwhile the version  [ ... ]


More News

Last Updated ( Wednesday, 29 January 2014 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.