Facebook's bug bounty program celebrates its 10th anniversary, security officers talk about where they are and where they are to come



Many large IT companies, such as Google and Apple, have set up bug bounty programs that reward them for reporting vulnerabilities in their services. Facebook has been running its own bug bounty program '

Bug Bounty Program ' since 2011, and 2020 marked its 10th anniversary. At the milestone of its 10th anniversary, Facebook Security Engineering Manager Dan Gurfinkel talks about the history, current status and future of the program.

Marking the 10th Anniversary of Our Bug Bounty Program --About Facebook
https://about.fb.com/news/2020/11/bug-bounty-program-10th-anniversary/

External researchers participating in Facebook's bug bounty program have contributed to improving Facebook's security and privacy by reporting undiscovered vulnerabilities. The bug bounty program has helped to fix problems quickly and protect the Facebook community, and the rewards paid are motivating to drive higher quality security research, Gurfinkel said.

Over the last 10 years, more than 50,000 researchers have participated in the program, of which about 1,500 have received bounties. The nationalities of researchers who received the bounty are in 107 countries. It seems that some researchers have joined Facebook's security team and engineering team and continue to work to protect the Facebook platform, and Mr. Gurfinkel himself is one of them.

Here's a summary of what Facebook's bug bounty program looks like as of 2020:

・ Since 2011, Facebook's bug bounty program has received 130,000 reports, of which 6900 have been eligible for bounties.
・ Of the approximately 17,000 reports reported in 2020, more than 1,000 were eligible for incentives.
・ In 2020, we paid more than $ 1.98 million (about 200 million yen) incentives to researchers in more than 50 countries.
・ The amount of incentives paid in one year has reached a record high every year for the past three years.
・ India, Tunisia and the United States are the top three countries that received the bounty in 2020.

When reviewing a report on an issue that needs to be fixed, Facebook will not just look at the content of the submitted report, but also look at the underlying area of the code to better understand the issue. Gurfinkel says that these aggressive investigations can also find improvements to further protect the security and privacy of our users. As the bug reporting program celebrates its 10th anniversary, Gurfinkel recognizes the impact of the research community on helping protect Facebook, and presents two reports that helped find and fix important issues. I am.



One of the reports was from a researcher who participated in Facebook's bug bounty program in 2020, and the other was from a researcher at Google's vulnerability research project '

Project Zero '. Both bugs were quickly patched by the team and further protected through follow-up reviews that combined automatic problem detection with manual code reviews. There seems to be no evidence of misuse.

The first report was reported in early 2020. Selamet Hariyanto has discovered a bug in the content delivery network (CDN) for delivering content to Facebook users around the world that 'there is a URL that can be accessed even if it has expired.' The reported bug itself had little impact and was quickly fixed, but internal researchers found that 'a very good hacker could sometimes execute code remotely.' Facebook's bug bounty program tells Hariyanto 800,000 because the bounty amount is based on the maximum impact of the report, even if the first issue reported in the report is less impactful. He said he paid $ (about 83 million dollars).

The second report is a messenger vulnerability reported by Natalie Silvanovich of Project Zero in the fall of 2020. Specifically, it was a vulnerability that allowed an attacker to log in to Messenger and send a message to other Messenger users while receiving a call using the Messenger app for Android. The vulnerability could allow voice to be intercepted while the other party's device was receiving a call until the call was canceled or timed out. In order for this attack to be successful, the attacker had to have the authority to talk to the other party, such as by making friends with the other party on Facebook. He also said that the attacker had to use a reverse engineering tool to operate his own messenger app and send a custom message.

After fixing the reported vulnerability on the server side, Facebook also fixed the vulnerability by adding an app that uses the same protocol for one-on-one calls. Considering the maximum possible impact of this report, it is said that the third highest amount in the history of the program, 600,000 dollars (about 62 million yen) was paid.



When it was first established in 2011, Facebook's bug bounty program targeted only web pages, but as of 2020, it also targets mobile apps, Instagram, WhatsApp, Oculus, and more. While the threat from attacks is increasing year by year, Facebook is focusing on the following three points.

・ Countermeasures against new risks: Incentives are given by instructing security investigations in new risk areas such as misuse of Facebook data by app developers and security bugs of third-party apps and external websites that can access Facebook data. It is said that it will develop a method of giving.

-Providing better research tools: We will provide tools to the community to discover Facebook bugs and make it easier for researchers to receive more rewards. The recently released Facebook Bug Description Language is one such effort, Gurfinkel explained, as it allows you to quickly build a test environment to reproduce bugs. It also ranks researchers according to their contribution, giving high-ranked researchers benefits such as bonuses and badges, early access to pre-release products and features, and exclusive invitations to bug bounty events. Facebook's original reward program ' Hacker Plus ' was also established in October 2020, and it seems that it is paying a bonus of 40,000 dollars (about 4.2 million yen) at the time of writing the article.

And researchers of the network construction: hacking events and is the Facebook of the researchers of the meeting to participate in the bug reporting program BountyCon through, go and things to build a network of researchers.

“Thanks to the bug bounty community for contributing to Facebook through valuable research over the last decade, and to everyone who has contributed to the growth of the program in 2020. Making our collaboration even more effective. We're always grateful for the feedback we've made, and we look forward to working with you to keep the platform secure, 'Gurfinkel commented. ..

in Web Service,   Security, Posted by darkhorse_log