Menu
Facebook fixed 61 high-severity flaws last year through its bug bounty program

Facebook fixed 61 high-severity flaws last year through its bug bounty program

The company paid US$1.3 million to 321 outside security researchers in 2014

As a result of reports received through its bug bounty program Facebook confirmed and fixed 61 high-severity vulnerabilities last year, almost 50 percent more than in 2013.

Since 2011, the company has been paying monetary rewards to researchers who report flaws that could compromise the integrity or privacy of user data or could enable access to systems within its infrastructure.

While the minimum reward is US$500, there is no upper limit. The company decides how much to pay depending on a bug's severity and sophistication. The program doesn't cover only the facebook.com site and related services, but also other products that Facebook created or acquired, like Instagram, Parse, Onavo, Oculus, Moves and osquery.

In 2014, the company paid bug bounties totaling $1.3 million to 321 researchers from 65 countries, according to a newly published annual report. The average reward was $1,788 and the top three countries where valid bug reports originated were India, with 196 submissions; Egypt, with 81 and the U.S. with 61.

While Facebook did not reveal the largest bounty it paid last year for a single vulnerability, it pointed out that the top five earners collectively netted $256,750.

It's worth noting that, based on the statistics released by the company, finding a critical bug is not that easy. Facebook received 17,011 bug submissions in 2014 and those resulted in only 61 high-risk bugs being identified.

Unlike in previous years, Facebook didn't publish the total number of valid bugs that it identified over the course of last year as a result of its bug bounty program. In 2013 there were a total 14,763 submissions and 687 valid bugs, which would suggest that on average only 1 in 21 submissions leads to a new bug being discovered.

This also puts into perspective the resources needed for a company with a large website to run its own bug bounty program. There are bound to be many false positive, fake and duplicate submissions, which would require a large security team to sift through.

The program also helped Facebook identify some rather generic flaws that other developers out there might also have to deal with in their own sites and applications. The company gave three examples: a issue where backend code was receiving multiple values for the same parameter; an error where the attacker could register new S3 storage buckets on Amazon Web Services, which is used by many sites; and one that allowed legacy REST API calls to be made on behalf of users without proper authentication.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesonline safetysecurityExploits / vulnerabilitiesFacebook

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments