12/17/2018

Facebook, Under Scrutiny, Pays Out Largest Bug Bounty Yet

There is a bright spot despite all these hacks

This has not been Facebook's proudest year for privacy and security. The company faced the massive Cambridge Analytica data misuse and abuse scandal in April and beyond. It also disclosed its first data breach in October, which compromised information from 30 million accounts. But Facebook has at least one security-focused bright spot it can point to in 2018: its bug bounty.

Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software. Anyone can send a report and, perhaps, receive a reward for helping lock down a company's systems. Welcoming bug reports was a controversial practice for decades, but Facebook's program, which launched in 2011, is one of the oldest and most mature in the industry. The bug bounty has paid out more than $7.5 million over time, including $1.1 million in 2018. And this year Facebook also paid its biggest single bounty ever, $50,000, to one of its top contributors.

The bug that garnered this windfall was in Facebook's developer subscription mechanism for notifications on certain types of user activity. Think of it as RSS for data being generated on Facebook. The researcher found that in certain situations a developer, or attacker, could have manipulated the subscriptions to receive updates that shouldn't have been authorized about certain actions and users. For instance, a rogue developer could have gotten regular updates on who liked or commented on a specific post.

Please select this link to read the complete article from WIRED.