A Look Back at 2019 Bug
By Dan Gurfinkel, Facebook Security Engineering Manager
February 10, 2020
Over the past nine years, our bug bounty program has played a critical role in helping us quickly detect and fix vulnerabilities and spot new security trends. In 2019, the program hit a number of milestones, including, for the second year in a row, awarding our highest bug bounty payout to date.
In this post, we’ll share a few of the 2019 highlights, including our continued collaboration with some of the world’s most talented researchers who have helped us strengthen the security of our services.
In September, we hosted a one-day live hacking event in Canada with around 50 top security researchers in our program from around the world. One of the highlights was a find by Youssef Sammouda, who also ranked at the top of our whitehat leaderboard this year. This $65,000 bounty award surpassed last year’s largest bounty payout.
Youssef discovered a bug when performing a web query for an endpoint used to handle copyright management. Due to a misconfigured error response, a web query could have returned unintended data fragments from the copyrights endpoint. We patched this issue within hours of Youssef reporting it to us. After deploying the initial fix, we went on to do a thorough follow-up review using a combination of automated detection and manual code review. As a result, we fixed a broader framework in the way errors were handled to prevent other endpoints from potentially returning similar data. As we always do, we have awarded the researcher based on the maximum possible impact of his report, rather than on the initial issue he reported to us.
Growing our Data Abuse Bounty program
In 2018, we launched a first-of-its-kind data abuse bounty program to reward people who report misuse of data by app developers so we can address it quickly.
We recently made our highest payout to date in this program at $30,000. In 2019, a group of security researchers led by Luyi Xing from Indiana University reported an issue where SDK providers were paying 3rd party app developers to use malicious SDKs in their apps, available in popular app stores. We worked with the researchers and other impacted tech companies to understand the full scope of this activity. As a result, we removed the apps from our platform for violating our policies and issued cease and desist letters against these SDK providers. This kind of collaboration with our industry peers and researchers is exactly why we launched the data abuse bounty program so we can help make the wider internet ecosystem more secure.
Expanding the scope of the Bug Bounty program
In 2019, we also expanded the scope of our Data Abuse Bounty program to include Instagram, provided additional incentives for researchers to test our native products and made it easier to test for mobile vulnerabilities.
In particular, we want to spotlight the following updates:
Connecting with the bug bounty community
Finally, we partnered with Google to run BountyCon in Singapore, an event dedicated to building relationships with researchers in the Asia-Pacific region and sharing practical approaches for discovering and reporting high-quality vulnerabilities. At BountyCon, we also hosted a live hacking event where we awarded $120,000 in bounty payouts for 40 valid bug submissions. Thanks to this conference, new researchers joined our program and we have already received high quality bug reports from them.
We’re bringing back BountyCon to Singapore in April 2020 and you can find more details on the conference and eligibility criteria here.
We want to thank everyone who contributed to the growth of our program in 2019 and look forward to our continued collaboration this year to keep our platforms secure!