210 security researchers have earned $936,000 from Facebook for providing valid reports to it.
Facebook announced on February 10, 2016 that it paid $936,000 to 210 security researchers who provided it with valid reports totaling 526 last year. The social network has given rewards worth more than $4.3 million to over 800 researchers who made 2400 submissions since the launch of the program in August 2011.
The sum paid in 2015 is actually less than that of 2014, which was less than 2013. The company paid $1.3 million to 321 security researchers in 2014 and $1.5 million to security researchers totaling 330 in 2013. While the submissions increased between 2013 and 2014 (from 14,763 to 17,011), they were even less in the last year. Facebook got big bounty submissions totaling 13,233 to 5543 researchers in 127 states.
Even the average payout declined slightly – from $1788 in 2014 to $1780 in the following year. The company states there are two reasons why such figures have reduced and why one number has increased. The classification of 102 submissions of bug bounties was done with high effect in the last year: a rise of 38% over 2014.
Facebook stated the quality of reports is improving and more reports are about business logic. The former indicates that the security of the company is receiving systematic instructions for the reproduction of the matter, views scenarios of attacks in the reports submitted by them, and attains reports clearly prioritizing a handful of important matters instead of a number of bugs with low impacts.
The latter translates into the company getting rid of entire classes of vulnerabilities all at the same time, implementing findings of researchers to the whole codebase. Techworm reported last month that a security research was paid $7500 by the Californian organization for discovering a cross-site scripting (XSS) vulnerability allowing potential hackers for taking over the Facebook accounts of users.
British security consultant, Jack Whitton, succeeded in discovering the vulnerability. Following that discovery, he immediately told Facebook and engineers of the social media service provider rapidly repaired the significant flaw within six hours.
The security researcher received $7500 for revealing the matter in a responsible manner, a sum that representatives of Facebook confirmed.
Whitton posted the details of the XSS flaw in his blog and said that the attack consists of two vectors – a DNS issue and content type. He found that in some situations, it is possible to interpret an uploaded file as an HTML only by altering its extension to .html. Although the modification of regular videos and photos is not possible, he discovered that the modification of the advertising pictures uploaded with the help of Facebook Ads Manger could be done.
No comments:
Post a Comment