Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Bug Security The Almighty Buck IT

Facebook To Pay Hackers For Bugs 54

alphadogg writes "Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook's security team first. The company is following Google and Mozilla in launching a Web 'Bug Bounty' program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they're truly significant flaws Facebook will pay more, though company executives won't say how much. 'In the past we've focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,' said Alex Rice, Facebook's product security lead. 'We're extending that now to start paying out monetary rewards.'"
This discussion has been archived. No new comments can be posted.

Facebook To Pay Hackers For Bugs

Comments Filter:
  • by Anonymous Coward

    Good step in the right direction.

    *golf clap*

  • by Anonymous Coward

    ...like Microsoft/Adobe/Apple should take notice.

  • no assurance the said hacker won't sell the information extracted during this "lawful" exercise "authorized" by F-book.

  • I found one! It's called the Zuckerbug. It appears the Zuckerbug is a kind of malware posing as a security solution, when in reality it steals your personal information which is then sold off.
    • Re: (Score:1, Troll)

      by Elbereth ( 58257 )

      That's so fucking witty!

      I'm sure you'll be duly upmodded by the Slashbots, for repeating the groupthink that appears in every fucking Facebook story.

      • by bky1701 ( 979071 )
        Wow, complaining about modding? 'Slashbots'? Did you come up with that one yourself?

        Oh wait. Of course not. I've only heard it a few hundred times before. Next time you accuse someone of 'repeating groupthink,' maybe you should at least attempt to hide your own lack of original thought.
        • by Anonymous Coward

          You have misunderstood. When someone speaks against groupthink they are always individual thinkers. It is not possible that a web forum would include more than one group of like-minded people.

          Feel free to disagree but understand that that makes you a slashbot, as I am an individual.

      • Gee, and I thought trolls respected "Elbereth." :^P

  • The website is infinitely more robust than their iPhone app. Their crappy app is the reason most of my friends don't use Facebook anywhere near as much as they used to.
  • by viking80 ( 697716 ) on Friday July 29, 2011 @07:49PM (#36929554) Journal

    ..then we all would be rich. I have not seen any major destination with so many glaring front page defects. Ebay even came to my house, (3 use case specialists strong, and left me an ebay cap!), but no bug fixes as a result.

  • Facebook's security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three "actionable bugs," per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

    Sounds to me like Facebook would be better served reviewing their coding and auditing practices.
    I mean.. one to three a week, do they not sanitize their inputs?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Well, it WAS put together by PHP coders...

    • by growse ( 928427 )
      Why would they sanitise their inputs, gIven that XSS is caused by output content encoding bugs?
  • Payoff (Score:2, Offtopic)

    by tpstigers ( 1075021 )
    Find a flaw and send us an email describing it. We'll pay you $500, then we'll make $600 selling your email address.
  • I'm going to get money for pointing out their interface to them.
  • pay developers to fix them?
  • And I do mean delusional, as in out of touch with reality. Facebook must think the people that create these exploits are either really stupid, they don't understand their audience, or this is a token gesture. $500 is ridiculous.
    • And as if that's enough money to shut them up too. They'll be zero-day'ed before the check clears.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No, you're the one that's delusional. Believe it or not, people reported these even before today responsibly. Why? Because it's the right thing to do. The monetary incentive is there to encourage people to spend a bit more time looking.

  • If a decent security programmer/expert earns say $50/hr, then this covers only 10 hours of work, and that ignores actual cost-to-company equivalent costs of hiring an expert (e.g. desk, HR, equipment, admin, accounting overheads, so it's actually closer to 5 or 6 hours worth of programmer time). Do you mean to tell me that if they hired an expert internally, they expert the cost of that expert equivalent finding a bug every 5 hours? This is highly patronizing, they are basically treating the security expert

  • ...then make 'em join you. It's testing using cheap crowdsourcing. Very sensible, as those cracks would likely be used against them anyway..
  • i got locked out of my (rarely-used) fb account because i have login approval required via phone but no phone number defined on profile!!!!!!

    This happened because i deleted my phone number from my public profile but i didnt mean to also delete it from the login security section. However, when i changed my public profile, their stupid site also deleted the phone number from the security login approval section too, while keeping active the mandatory login approval via sms.

    That results in a catch-22 scenario,

    • by Anonymous Coward

      Alright, so you filled out your profile with false information in violation of the ToS, couldn't go 3 clicks to find privacy settings to hide your phone number from others, and apparently don't have a computer with Facebook cookies from previous logins. Hard to say the blame is all Facebook's

      • by galaad2 ( 847861 )

        here in our country, the DoB forms a MAJOR part of the government id number/SSN (which is formed by appending a few numbers to the DoB numbers), so OF COURSE i wasn't going to let FB have my SSN, even if only part of it. The DoB that i used is close enough to the real one so as to remember my friends when my bday is, but it's not exactly spot on.

        and as to the privacy settings for the phone number, FYI they were ALREADY set to "me only", but that doesn't mean crap to normal FB admins. The access rights to th

  • by dbIII ( 701233 ) on Saturday July 30, 2011 @12:22AM (#36930724)
    Here's some big ones:
    Domain name time to live is only 30 fucking seconds! That means anything on the net looking for facebook rechecks twice a minute to see if it really is where it says it is. That's a lot of extra traffic but more importantly latency - a waste of everyone's time as their browser checks if facebook is still there and waits patiently back for the the news that facebook hasn't moved anywhere in the last 30 seconds. Because such stupid settings waste time and traffic RFC1035 requires a minimum of at least 300 seconds for TTL. Because nobody thought anybody would be so stupid facebook stopped working via a lot of web proxy software a few years ago until it was all patched especially for facebook.

    Content is marked as being from the year 2000! That's a nasty hack to force web browsers to refresh as fast as they can - a big waste of space that is truly antisocial since there are a lot of broadband plans worldwide that have download limits.

    Content that should be able to be cached is marked as non-cacheable! Maybe the page has changed, but has the facebook logo and a pile of other static content been redesigned in the last minute? Who cares - let's force the user to download it all over again and make it tricky for their ISP or company proxy server to cache it all! Let's make them pay more for their internet connection (download limits remember), add a lot of entirely useless repeat traffic to reduce the available bandwidth and increase latency with a pile of pointless host lookups.

    Draconian workplace policies that ban facebook are not always there to stop people wasting time, they are sometimes there because facebook wastes a lot of network resources so it comes down to a choice of blocking a site that is buggy by design or paying for a better connection and still having to limit staff facebook use at busy times.
    • by Anonymous Coward

      Uh... Facebook's DNS TTL is not 30 seconds. It's 1 hour (verified by running dig from hosts on two separate networks.
      I just loaded Facebook's homepage twice. Outside of PHP scripts, on the second load every other resource used was either loaded from cache or 304-ed (i.e. browser asked server, and was told that its version was still current). Facebook does not want to waste data, but they don't want browsers to cache dynamic data, either.

      Now I'm not saying that none of what you say was ever true, but just ha

      • by dbIII ( 701233 )

        Uh... Facebook's DNS TTL is not 30 seconds

        Good to see they are finally getting something right instead of what they used to do. Google facebook plus squid to find some blogs listing why their behaviour caused problems - especially the insane TTL that gave you a choice of a fast web proxy or something that would actually let the user get beyond the facebook login.

        As for the second point about caching, I'm not suggesting that you are making things up but if they are really doing that now it is something tha

    • by Anonymous Coward

      Thanks for the charity! I made $2000 today just for reading a /. post. Once again proving lurking around on /. is always worth it.

  • Age of the slashdot millionaires.

  • There is an obvious flaw in this scheme. What if someone at google delibratley wrote a bug? He could tell a friend outside the company who would collect the bounty and then share it with him. They would end up basically paying their programmers to write bugs.

Statistics are no substitute for judgement. -- Henry Clay

Working...