Since 2011, Facebook has operated a bug bounty program in which external researchers help improve the security and privacy of Facebook products and systems by reporting potential security vulnerabilities to us. The program helps us detect and fix issues faster to better protect our community, and the rewards we pay to qualifying participants encourage more high quality security research.
Over the past 10 years, more than 50,000 researchers joined this program and around 1,500 researchers from 107 countries were awarded a bounty. A number of them, including myself, have since joined Facebook’s security and engineering teams and continue this work protecting the platform at Facebook.
When we receive a valid report that requires a fix, we look not only at the report as it was submitted but at the underlying area of code to understand the issue in greater depth. Sometimes this proactive investigation leads us to discover related improvements we can make to better protect people’s security and privacy. Today, as we approach the 10th anniversary of our bug bounty program, we’re recognizing the impact the researcher community has had in helping protect people across our apps and we’re sharing two examples of reports that helped us find and fix important issues.
Here are a few highlights from our bug bounty program:
- Since 2011, we’ve received more than 130,000 reports, of which over 6,900 were awarded a bounty.
- So far, this year, we’ve awarded over $1.98 million to researchers from more than 50 countries.
- This year, we received around 17,000 reports in total, and issued bounties on over 1,000 reports.
- For the third year in a row, we’ve awarded our highest bug bounty payout to date.
- The top three countries based on bounties awarded this year are India, Tunisia and the US.
Earlier this year, we received two notable reports – one from a new researcher who joined our program this year, and another from one of the researchers at Google’s Project Zero. We quickly patched both bugs and, in both cases after deploying the initial fix, we did a follow-up review using a combination of automated detection and manual code review to add additional protections. In each case, we found no evidence of exploitation. Here are some details.
Content Delivery Network Bug Report
Earlier this year we received a report from Selamet Hariyanto who identified a low impact issue in our Content Delivery Network (CDN), a global network of servers that deliver content to people accessing our platform around the world, where a subset of our CDN URLs could have been accessible after they were set to expire. After fixing this bug, our internal researchers found a rare scenario where a very sophisticated attacker could have escalated to remote code execution. As always, we rewarded the researcher based on the maximum possible impact of their report, rather than on the lower-severity issue initially reported to us. It is now our highest bounty – $80,000.
Messenger Bug Report
This fall, Natalie Silvanovich of Google’s Project Zero reported a bug that could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser). It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out. To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.
After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling. This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact.
Growing Our Bug Bounty Program
In 2011, our bug bounty program started off covering Facebook’s web page. Today, it’s grown to cover all of our web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace and more. As the threat landscape has evolved over the years, we’ve focused on three things:
- Innovating ways to direct and incentivize security research into emerging risk areas like misuse of Facebook data by app developers or security bugs in third-party apps and external websites that may touch on Facebook data.
- Building tools for the research community to make it easier and more rewarding to hunt for bugs on Facebook. For example, we recently launched Facebook’s Bug Description Language, a tool that helps researchers quickly build a test environment to show how we can reproduce the bug. We also created Hacker Plus, our own rewards program, to add bonuses, badges, early access to soon-to-be-released products and features, exclusive invites to bug bounty events, and more. Since its launch just last month, we’ve awarded $40,000 in bonuses.
- Creating opportunities for collaboration and networking at our live hacking events and BountyCon, a conference for researchers in our bug bounty program.
We want to thank our bug bounty community for contributing valuable research over the past 10 years as well as everyone who contributed to the growth of our program in 2020. As always, we appreciate feedback on how we can make our collaboration even more effective. We look forward to our continued work together to keep our platform secure.