My Experience With The Facebook Bug Bounty Program (Guest Post)

Guest post by Harsha Vardhan Boppana about his experience with the Facebook Bug Bounty program who himself is one of the Facebook bounty receivers from India

facebook logo

Editor’s note: This is a guest post from Harsha Vardhan Boppana, an engineering student with interests in ethical hacking. He is one of the Facebook bug bounty receivers from India and in this guest post he shares his experience with the Facebook Bug Bounty program.

Today the number of companies that have started the Bug Bounty Programs are rapidly increasing. From Facebook to Google to Microsoft today everyone is running such programs that enable their community to find bugs and get rewarded. Undoubtedly they are less cost effective than hiring full-time employees to accomplish the same task. Moreover companies with bug bounties are more secure.

Facebook bounty program India

Facebook, which has more than 1.15 billion total users and 699 million daily active users, as per their recent Q2 2013 earnings report, definitely needs to protect such huge user base in terms of security. So it started its own Bug Bounty Program in 2011 which is still running. It paid over 1$ million bounty to 329 security researchers in 51 countries as per the recent update and India ranks as the second biggest bug bounty recipient followed by UK, Turkey and Germany. Besides these countries, Israel, Canada, Pakistan, etc. are the countries that have the fastest growing number of recipients.

Facebook had mitigated many security concerns discovered by researchers in these two years, ranging from low impact issues to the vulnerabilities that result in hijacking a Facebook account.

Typical a bounty paid for a valid vulnerability is 500 USD. Higher the impact of the vulnerability, higher is the bounty. I had been rewarded 4000 USD for my findings and recently I was paid the Bounty Payment via White hat Debit card, the most precious thing from Facebook. Some of the vulnerabilities that got me rewards in Facebook and its acquisitions were:

1. Cross Site Scripting which makes us interfere with the program’s logic by inserting our own logic allowing us to inject Malicious Scripts, CSRF (Cross-Site request forgery) which forces an end user to execute unwanted actions on a web application in which the person is currently authenticated.

2. Content Spoofing which allows the website to display content from the attacker and other logical issues.

A lot of issues have been reported by researchers so far via the Bug Bounty program. They include OAuth Issues, Account Exploits, etc. Out of box thinking definitely helps a researcher to uncover high impact security vulnerabilities and such issues were reported even in 2013, two years after the Bug Bounty program was started. UK Security researcher with handle ‘fin1te’ had reported a most fascinating vulnerability in the month of June. Any Facebook account can be hijacked via SMS as a result of that and he was rewarded 20000 USD, largest single bounty paid so far. He demonstrated the details of the vulnerability in his blog here.

Apart from the recent mishap with Facebook Bug Bounty Program which forced the Palestinian researcher Khalil Shreateh to share a status on Facebook founder Mark Zuckerberg’s wall (and soon the Facebook security team realized their mistake and shared that they failed in communication with him and took proper measures), Facebook’s Bug Bounty program has tried its best to make the world’s largest social network safe & secure by mitigating a lot of vulnerabilities found by security researchers.

Image Courtesy: Philly.com