Facebook Bug Bounty Highlights & Updates

Facebook Highlights & Updates:

We've been working steadily to grow our bug bounty program since 2011, and along the way we've rewarded hundreds of researchers for high quality work, built new relationships with the security community, and made Facebook even safer for the more than 1.2 billion people who use our service

Here are some of our recent highlights:

• We received 14,763 submissions in 2013, a 246% increase from 2012.
• Of these, 687 were valid and eligible to receive rewards.
• 6% of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, our median response time for these high-severity issues was about 6 hours. We've built our infrastructure to be able to push code twice a day, which helps us release important updates immediately.
• We've paid over $2M since we got started in 2011, and in 2013 we paid out $1.5M to 330 researchers across the globe. The average reward in 2013 was $2,204, and most bugs were discovered in non-core properties, such as websites operated by companies we've acquired.
• 2014 is looking good so far. The volume of high-severity issues is down, and we're hearing from researchers that it's tougher to find good bugs. To encourage the best research in the most valuable areas, we're going to continue increasing our reward amounts for high priority issues.

Bounties at scale

Every one of the almost 15,000 submissions we received last year was reviewed individually by a security engineer, and our team is still small (here's how to join us: https://www.facebook.com/careers/department?dept=engineering&req=a0IA0000006cQbeMAE). Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately. As mentioned above, we've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.

We're grateful to all the researchers around the world who have taken the time to evaluate our services and report bugs. Researchers in Russia earned the highest amount per report in 2013, receiving an average of $3,961 for 38 bugs. India contributed the largest number of valid bugs at 136, with an average reward of $1,353. The USA reported 92 issues and averaged $2,272 in rewards. Brazil and the UK were third and fourth by volume, with 53 bugs and 40 bugs, respectively, and average rewards of $3,792 and $2,950.

Bug spotlight

Here are some of our favorite reports from last year:

- XML External Entities Attack: We awarded $33,500, our largest payout ever, to Reginaldo Silva for discovering an XML external entities attack capable of reading files from a Facebook web server to an internal service that could run code. We confirmed that the same XXE attack could have been used to execute code from that service. To address the report, we disabled external entities across Facebook, audited the codebase for similar endpoints, rotated the password for the internal service, and are working on shifting to a new service entirely. Reginaldo describes more here: http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

- ActionScript Filtering Bypass: Embedding external .swf files like YouTube videos can normally be protected from malicious JavaScript by using Adobe's allowscript=never flag. However, we learned from a report that using jar:javascript:alert(1) inside a .swf file could bypass allowscript=never and execute JavaScript on Firefox. We quickly shifted a subset of our .swf files from hosting on facebook.com to our sandbox, fbsbx.com. The workaround was effective until Adobe released an official fix on January 14: http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

- UI Confusion Bug: Security is about more than just code, and it's important to remember that security bugs can arise from circumstances that aren't highly technical or complex. For example, we awarded a bounty after learning that the UI logic on our Page administrator tool could have caused someone attempting to decline an admin confirmation request to inadvertently add that person as an admin. We fixed the interface to make the intent clearer.

Looking forward

One of the most encouraging trends we've observed is that repeat submitters usually improve over time. It's not uncommon for a researcher who has submitted non-security or low-severity issues to later find valuable bugs that lead to higher rewards. To help encourage the best research, we're making a few changes:

• We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress: https://www.facebook.com/settings?tab=support
• The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
• We're no longer going to reward text injection reports. Rendering text on a page isn't a security issue on its own without some kind of additional social engineering, and we don't reward phishing reports.
• We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
• We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Collin Greene is a Security Engineer at Facebook.

Source: https://www.facebook.com/notes/facebook-bug-bounty/bug-bounty-highlights-and-updates/818902394790655