Facebook To Pay Hackers For Bugs 54
alphadogg writes "Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook's security team first. The company is following Google and Mozilla in launching a Web 'Bug Bounty' program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they're truly significant flaws Facebook will pay more, though company executives won't say how much. 'In the past we've focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,' said Alex Rice, Facebook's product security lead. 'We're extending that now to start paying out monetary rewards.'"
First Post (Score:1)
Good step in the right direction.
*golf clap*
The others... (Score:1)
...like Microsoft/Adobe/Apple should take notice.
I've got one (Score:1)
not a very smart thing (Score:2)
no assurance the said hacker won't sell the information extracted during this "lawful" exercise "authorized" by F-book.
Re: (Score:3, Insightful)
found one! (Score:2, Funny)
Re: (Score:1, Troll)
That's so fucking witty!
I'm sure you'll be duly upmodded by the Slashbots, for repeating the groupthink that appears in every fucking Facebook story.
Re: (Score:2)
Leave Mario and Luigi out of this! :)
Re: (Score:2)
Oh wait. Of course not. I've only heard it a few hundred times before. Next time you accuse someone of 'repeating groupthink,' maybe you should at least attempt to hide your own lack of original thought.
Re: (Score:1)
You have misunderstood. When someone speaks against groupthink they are always individual thinkers. It is not possible that a web forum would include more than one group of like-minded people.
Feel free to disagree but understand that that makes you a slashbot, as I am an individual.
Oblig. Nethack reference (Score:3)
Gee, and I thought trolls respected "Elbereth." :^P
iPhone app? (Score:2)
If only ebay would do the same.. (Score:3)
..then we all would be rich. I have not seen any major destination with so many glaring front page defects. Ebay even came to my house, (3 use case specialists strong, and left me an ebay cap!), but no bug fixes as a result.
XSS (Score:2)
Facebook's security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three "actionable bugs," per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.
Sounds to me like Facebook would be better served reviewing their coding and auditing practices.
I mean.. one to three a week, do they not sanitize their inputs?
Re: (Score:2, Funny)
Well, it WAS put together by PHP coders...
Re: (Score:2)
Payoff (Score:2, Offtopic)
Re: (Score:3)
Your email address is not worth even a full dollar, let alone 600.
Yay! (Score:2)
Will they (Score:1)
This is delusional. (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
No, you're the one that's delusional. Believe it or not, people reported these even before today responsibly. Why? Because it's the right thing to do. The monetary incentive is there to encourage people to spend a bit more time looking.
Cheapskates (Score:2)
If a decent security programmer/expert earns say $50/hr, then this covers only 10 hours of work, and that ignores actual cost-to-company equivalent costs of hiring an expert (e.g. desk, HR, equipment, admin, accounting overheads, so it's actually closer to 5 or 6 hours worth of programmer time). Do you mean to tell me that if they hired an expert internally, they expert the cost of that expert equivalent finding a bug every 5 hours? This is highly patronizing, they are basically treating the security expert
If you can't beat 'em... (Score:2)
first fix the stupid logic with SMS auth! (Score:2)
i got locked out of my (rarely-used) fb account because i have login approval required via phone but no phone number defined on profile!!!!!!
This happened because i deleted my phone number from my public profile but i didnt mean to also delete it from the login security section. However, when i changed my public profile, their stupid site also deleted the phone number from the security login approval section too, while keeping active the mandatory login approval via sms.
That results in a catch-22 scenario,
Re: (Score:1)
Alright, so you filled out your profile with false information in violation of the ToS, couldn't go 3 clicks to find privacy settings to hide your phone number from others, and apparently don't have a computer with Facebook cookies from previous logins. Hard to say the blame is all Facebook's
Re: (Score:2)
here in our country, the DoB forms a MAJOR part of the government id number/SSN (which is formed by appending a few numbers to the DoB numbers), so OF COURSE i wasn't going to let FB have my SSN, even if only part of it. The DoB that i used is close enough to the real one so as to remember my friends when my bday is, but it's not exactly spot on.
and as to the privacy settings for the phone number, FYI they were ALREADY set to "me only", but that doesn't mean crap to normal FB admins. The access rights to th
Here's a few big ones for free (Score:4, Insightful)
Domain name time to live is only 30 fucking seconds! That means anything on the net looking for facebook rechecks twice a minute to see if it really is where it says it is. That's a lot of extra traffic but more importantly latency - a waste of everyone's time as their browser checks if facebook is still there and waits patiently back for the the news that facebook hasn't moved anywhere in the last 30 seconds. Because such stupid settings waste time and traffic RFC1035 requires a minimum of at least 300 seconds for TTL. Because nobody thought anybody would be so stupid facebook stopped working via a lot of web proxy software a few years ago until it was all patched especially for facebook.
Content is marked as being from the year 2000! That's a nasty hack to force web browsers to refresh as fast as they can - a big waste of space that is truly antisocial since there are a lot of broadband plans worldwide that have download limits.
Content that should be able to be cached is marked as non-cacheable! Maybe the page has changed, but has the facebook logo and a pile of other static content been redesigned in the last minute? Who cares - let's force the user to download it all over again and make it tricky for their ISP or company proxy server to cache it all! Let's make them pay more for their internet connection (download limits remember), add a lot of entirely useless repeat traffic to reduce the available bandwidth and increase latency with a pile of pointless host lookups.
Draconian workplace policies that ban facebook are not always there to stop people wasting time, they are sometimes there because facebook wastes a lot of network resources so it comes down to a choice of blocking a site that is buggy by design or paying for a better connection and still having to limit staff facebook use at busy times.
Re: (Score:1)
Uh... Facebook's DNS TTL is not 30 seconds. It's 1 hour (verified by running dig from hosts on two separate networks.
I just loaded Facebook's homepage twice. Outside of PHP scripts, on the second load every other resource used was either loaded from cache or 304-ed (i.e. browser asked server, and was told that its version was still current). Facebook does not want to waste data, but they don't want browsers to cache dynamic data, either.
Now I'm not saying that none of what you say was ever true, but just ha
Re: (Score:2)
Good to see they are finally getting something right instead of what they used to do. Google facebook plus squid to find some blogs listing why their behaviour caused problems - especially the insane TTL that gave you a choice of a fast web proxy or something that would actually let the user get beyond the facebook login.
As for the second point about caching, I'm not suggesting that you are making things up but if they are really doing that now it is something tha
Re: (Score:1)
Thanks for the charity! I made $2000 today just for reading a /. post. Once again proving lurking around on /. is always worth it.
Oh, this is going to be good... (Score:2)
Age of the slashdot millionaires.
Flaw in scheme (Score:1)
validator.w3.org (Score:2)