A Look Back at 2019 Bug Bounty Highlights

By Dan Gurfinkel, Facebook Security Engineering Manager

February 10, 2020

Over the past nine years, our bug bounty program has played a critical role in helping us quickly detect and fix vulnerabilities and spot new security trends. In 2019, the program hit a number of milestones, including, for the second year in a row, awarding our highest bug bounty payout to date.

In this post, well share a few of the 2019 highlights, including our continued collaboration with some of the worlds most talented researchers who have helped us strengthen the security of our services.
2019 Highlights
  • We awarded over $2.2 million to researchers from over 60 countries, bringing our payout total since the program began to more than $9.8 million
  • We received around 15,000 reports in total, and issued bounties on over 1,300 of them
  • The average bounty amount was over $1,500
  • We made over $35,000 in matching donations to charities when security researchers opted to direct their awards to various causes
  • The top three countries for bug bounties based on the sum of payouts were India, Tunisia, and the U.S.
Bug spotlight

In September, we hosted a one-day live hacking event in Canada with around 50 top security researchers in our program from around the world. One of the highlights was a find by Youssef Sammouda, who also ranked at the top of our whitehat leaderboard this year. This $65,000 bounty award surpassed last years largest bounty payout.

Youssef discovered a bug when performing a web query for an endpoint used to handle copyright management. Due to a misconfigured error response, a web query could have returned unintended data fragments from the copyrights endpoint. We patched this issue within hours of Youssef reporting it to us. After deploying the initial fix, we went on to do a thorough follow-up review using a combination of automated detection and manual code review. As a result, we fixed a broader framework in the way errors were handled to prevent other endpoints from potentially returning similar data. As we always do, we have awarded the researcher based on the maximum possible impact of his report, rather than on the initial issue he reported to us.

Growing our Data Abuse Bounty program

In 2018, we launched a first-of-its-kind data abuse bounty program to reward people who report misuse of data by app developers so we can address it quickly.

We recently made our highest payout to date in this program at $30,000. In 2019, a group of security researchers led by Luyi Xing from Indiana University reported an issue where SDK providers were paying 3rd party app developers to use malicious SDKs in their apps, available in popular app stores. We worked with the researchers and other impacted tech companies to understand the full scope of this activity. As a result, we removed the apps from our platform for violating our policies and issued cease and desist letters against these SDK providers. This kind of collaboration with our industry peers and researchers is exactly why we launched the data abuse bounty program so we can help make the wider internet ecosystem more secure.

Expanding the scope of the Bug Bounty program

In 2019, we also expanded the scope of our Data Abuse Bounty program to include Instagram, provided additional incentives for researchers to test our native products and made it easier to test for mobile vulnerabilities.

In particular, we want to spotlight the following updates:
  • For the first time in the history of our program, we invited a select group of researchers over the course of this year to help us test the security of a number of new features prior to launch. This included Facebook Dating, Checkout on Instagram, and FB5. Our goal is to ensure that we find and fix any potential issues as quickly as possible before we roll out new products and features worldwide. We look forward to continuing this initiative.
  • We also expanded the scope of our industry-first bug bounty for third-party apps and websites that integrate with Facebook to begin rewarding reports found through active pen-testing (when its authorized by third-parties) rather than just by passively observing the vulnerability. This update significantly increased the range of security research that our bug bounty community can share with us and get rewarded for when they find potential vulnerabilities in these external apps and websites.
Connecting with the bug bounty community

Finally, we partnered with Google to run BountyCon in Singapore, an event dedicated to building relationships with researchers in the Asia-Pacific region and sharing practical approaches for discovering and reporting high-quality vulnerabilities. At BountyCon, we also hosted a live hacking event where we awarded $120,000 in bounty payouts for 40 valid bug submissions. Thanks to this conference, new researchers joined our program and we have already received high quality bug reports from them.

Were bringing back BountyCon to Singapore in April 2020 and you can find more details on the conference and eligibility criteria here.

We want to thank everyone who contributed to the growth of our program in 2019 and look forward to our continued collaboration this year to keep our platforms secure!

Terms of Use | Copyright 2002 - 2019 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement