Menu
Facebook fixed 61 high-severity flaws last year through its bug bounty program

Facebook fixed 61 high-severity flaws last year through its bug bounty program

The company paid US$1.3 million to 321 outside security researchers in 2014

As a result of reports received through its bug bounty program Facebook confirmed and fixed 61 high-severity vulnerabilities last year, almost 50 percent more than in 2013.

Since 2011, the company has been paying monetary rewards to researchers who report flaws that could compromise the integrity or privacy of user data or could enable access to systems within its infrastructure.

While the minimum reward is US$500, there is no upper limit. The company decides how much to pay depending on a bug's severity and sophistication. The program doesn't cover only the facebook.com site and related services, but also other products that Facebook created or acquired, like Instagram, Parse, Onavo, Oculus, Moves and osquery.

In 2014, the company paid bug bounties totaling $1.3 million to 321 researchers from 65 countries, according to a newly published annual report. The average reward was $1,788 and the top three countries where valid bug reports originated were India, with 196 submissions; Egypt, with 81 and the U.S. with 61.

While Facebook did not reveal the largest bounty it paid last year for a single vulnerability, it pointed out that the top five earners collectively netted $256,750.

It's worth noting that, based on the statistics released by the company, finding a critical bug is not that easy. Facebook received 17,011 bug submissions in 2014 and those resulted in only 61 high-risk bugs being identified.

Unlike in previous years, Facebook didn't publish the total number of valid bugs that it identified over the course of last year as a result of its bug bounty program. In 2013 there were a total 14,763 submissions and 687 valid bugs, which would suggest that on average only 1 in 21 submissions leads to a new bug being discovered.

This also puts into perspective the resources needed for a company with a large website to run its own bug bounty program. There are bound to be many false positive, fake and duplicate submissions, which would require a large security team to sift through.

The program also helped Facebook identify some rather generic flaws that other developers out there might also have to deal with in their own sites and applications. The company gave three examples: a issue where backend code was receiving multiple values for the same parameter; an error where the attacker could register new S3 storage buckets on Amazon Web Services, which is used by many sites; and one that allowed legacy REST API calls to be made on behalf of users without proper authentication.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Facebookonline safetypatchesExploits / vulnerabilities

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments