Record year for Facebook bug hunters
Posted on 04 April 2014.
With nearly 15,000 submissions - 687 of which were valid and eligible for awards - 2013 has been a record year for Facebook's bug bounty program. Add to this the fact that the company paid out $1.5M to 330 researchers across the globe, you can say that this has been a good year for everyone involved.

"The average reward in 2013 was $2,204, and most bugs were discovered in non-core properties, such as websites operated by companies we've acquired," shared Collin Greene, Security Engineer at Facebook.

"6% of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, our median response time for these high-severity issues was about 6 hours," he added.

Submissions from Indian researchers were most numerous (136) in 2013, followed by those from US, Brazil and UK researchers (92, 53 and 40 bugs found respectively). But Russian researchers have, as a group, earned the most from their submissions - an average of $3,961 for 38 bugs.

Brazilian researcher Reginaldo Silva got the biggest award to date - $33,500 - for discovering a remote code execution flaw affecting Facebook's servers.

"Security is about more than just code, and it's important to remember that security bugs can arise from circumstances that aren't highly technical or complex," Greene pointed out. "For example, we awarded a bounty after learning that the UI logic on our Page administrator tool could have caused someone attempting to decline an admin confirmation request to inadvertently add that person as an admin. We fixed the interface to make the intent clearer."

Greene ended with several announcements about changes to the bug bounty program. Instagram, Parse, Atlas, and Onavo are now also fair game, but text injection reports will no longer be rewarded.

Bounties for high-impact issues will increase as time passes. "In general, the best targets for high-impact issues as a security researcher are itself, the Facebook or Instagram mobile apps, or HHVM," he concluded.


Cloned, booby-trapped Dark Web sites steal bitcoins, login credentials

Apart from being a way for dissidents and journalists to do their business without being spotted and identified by "the powers that be", the Dark Web is also a place where criminals sell and buy illegal wares and services and, apparently, where they also get robbed by scammers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Jul 3rd