Facebook has paid $4.3m to bug-hunters since 2011

Trinidad and Tobago quite the bug-reporting hotspots, it transpires


Facebook security engineer Reginaldo Silva says Menlo Park has paid out $4.3m (£3.8m, A$6m) for more than 2,400 vulnerability reports submitted since its bug bounty began in 2011.

The payments made under one of the world's most popular bug bounty programmes were sent to more than 800 researchers who sent in a variety of cross-site scripting (XSS), cross-site request forgery (CSRF) and business logic flaws.

Facebook last year paid out a little less than the previous year – $936,000 (£644,477, A$1.29m) – to 210 researchers who submitted 526 bugs.

The average pay-out was $1,780 (£1,225, A$2,489). India took the top spot, as it did the previous year, but Egypt and Trinidad and Tobago beat last year's US and UK to the runners-up spot for receiving the highest number of payouts.

Silva says tools and frameworks are eliminating the easily spotted web application holes – leaving hackers to find and report business logic vulnerabilities.

"As the programme matures and traditional security issues like XSS and CSRF become more difficult to find, many of our top participants are focusing their research on our business logic," Silva says.

"As Facebook grows, we've gotten better at protecting against traditional security issues very early in our stack, using tools and frameworks such as XHP and React.

"...the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook."

Silva says the business logic flaws help Facebook apply rules to its code base and eliminate entire classes of vulnerabilities. The focus on high-quality reports and business logic flaws makes it easier for security wonks to evaluate vulnerabilities, too.

Facebook averages some $860,00 (£592,000 A$1,202) in payouts a year compared to Google's yearly average of $1.2m (£826,300, A$1.7m) in payouts made since 2010.

Mountain View has shelled out more than $2m (£1.4m, A$2.8m) for 750 bugs submitted over the last 12 months, during which time it expanded its programme so that those submitting Android bugs would also be paid. ®

Similar topics


Other stories you might like

  • It's primed and full of fuel, the James Webb Space Telescope is ready to be packed up prior to launch

    Fingers crossed the telescope will finally take to space on 22 December

    Engineers have finished pumping the James Webb Space Telescope with fuel, and are now preparing to carefully place the folded instrument inside the top of a rocket, expected to blast off later this month.

    “Propellant tanks were filled separately with 79.5 [liters] of dinitrogen tetroxide oxidiser and 159 [liters of] hydrazine,” the European Space Agency confirmed on Monday. “Oxidiser improves the burn efficiency of the hydrazine fuel.” The fuelling process took ten days and finished on 3 December.

    All eyes are on the JWST as it enters the last leg of its journey to space; astronomers have been waiting for this moment since development for the world’s largest space telescope began in 1996.

    Continue reading
  • China to upgrade mainstream RISC-V chips every six months

    Home-baked silicon is the way forward

    China is gut punching Moore's Law and the roughly one-year cadence for major chip releases adopted by the Intel, AMD, Nvidia and others.

    The government-backed Chinese Academy of Sciences, which is developing open-source RISC-V performance processor, says it will release major design upgrades every six months. CAS is hoping that the accelerated release of chip designs will build up momentum and support for its open-source project.

    RISC-V is based on an open-source instruction architecture, and is royalty free, meaning companies can adopt designs without paying licensing fees.

    Continue reading
  • The SEC is investigating whistleblower claims that Tesla was reckless as its solar panels go up in smoke

    Tens of thousands of homeowners and hundreds of businesses were at risk, lawsuit claims

    The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.

    Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.

    “We have confirmed with Division of Enforcement staff that the investigation from which you seek records is still active and ongoing," a letter from the SEC said in a reply to Henkes’ request, according to Reuters. Active SEC complaints and investigations are typically confidential. “The SEC does not comment on the existence or nonexistence of a possible investigation,” a spokesperson from the regulatory agency told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021