Facebook doubles the money it will pay for users who report security flaws
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
October 17, 2014
Facebook said publicly late yesterday that it has doubled the money it will pay out to users who report security flaws in its advertising code.
The reward will rise in a bid to entice hackers to report bugs found in its ads code following an internal security audit that discovered an undisclosed number of vulnerabilities in its code.
Security engineer Collin Greene said Facebook will double bug payouts until Dec. 31, 2014.
"Starting today and extending through the end of 2014, all whitehat bugs in our ads code will receive double bounties," Greene wrote in a post.
"We found and fixed a number of security bugs but would like to encourage additional scrutiny from White hats to see what we might have missed. Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them," Greene added.
The organization has to date paid out some US $3 million in bug bounties including $33,500 award for a remote code execution external entity (XXE) security vulnerability.
Greene offered some tips including that common security bugs like cross site scripting would probably not be present in ads code.
Pundits would gain more win by targeting missing or incorrect permissions checks, insufficient rate-limiting leading to scraping, edge-case CSRF issues, and issues with flash files.
Not to be outdone, Yahoo has touted its recent HackerOne bug bounty that has since paid out $700,000 to 600 security researchers.
It also comes as Facebook is reported to be introducing a Safety Check feature that sends push notifications to users travelling in known disaster areas.
Troubled travellers would then need to verify their safety. If they reported themselves as being in danger, a notice will be posted to their feed.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!