Facebook Sweetens Deal for Hackers to Catch Security Bugs

The company is turbocharging its bug bounty to try to stop the next data leak before it happens.
Red bugs crawling over gold coins
Illustration: Casey Chin

In the wake of extensive mishandling of user data and a series of security missteps, Facebook has deployed a number of security and privacy initiatives. A key focus: expanding its long-standing bug bounty program. Now Facebook is courting outside hackers more aggressively than ever.

Last year, the company began paying bounties for certain bugs researchers might find in third-party services that integrate with Facebook. It will now expand the types of bugs that are eligible, and even pay out for bugs that have also been directly submitted to another developer's own bug bounty. Essentially, Facebook is willing to reward bugs that impact its platform even if a researcher has already gotten another payout elsewhere for finding it. The company is also adding bonuses from $1,000 to $15,000 if researchers find bugs in the fundamental code of its native products—like Messenger, Oculus, Portal, or WhatsApp—and then also submit additional materials, like showing how the bugs could actually be exploited in the wild. Before now, there wasn’t a specifically codified bonus structure if you went above and beyond in a submission, a practice Facebook wants to encourage.

“Reports submitted to us thanks to security researchers allow us to learn from their insights," says Dan Gurfinkel, who heads Facebook's bug bounty program. "And that allows us to catch more bugs in the future. Humans are always more creative than machines, so we want to see how they’re able to bypass our protections."

In Facebook's notorious data breach last year, for example, hackers abused a chain of three bugs that allowed them to grab account authentication tokens through the "View As" feature. Around the same time, Facebook disclosed and patched a critical WhatsApp bug submitted through its bounty program that exploited a flaw in the WhatsApp media gallery flow.

Facebook offers a minimum payout of $500 for accepted bugs, and no maximum—meaning that there’s no specific upper limit on how valuable a bug could potentially be. So far the largest payout from Facebook's bounty is $50,000, while Apple will pay out up to $1 million for the most valuable iOS bugs.

It's worth it to Facebook to get on top of the unintended potential data exposures that come from third-party integrations. Facebook previously only allowed bug hunters to submit findings about third parties that came from analyzing publicly available information without actively hacking those services. But now, Facebook will accept bugs discovered through active penetration testing, so long as the approach complies with the guidelines set out by the third party itself. The idea of potentially double-paying for bugs is unusual, but may give Facebook more insight into the type of bugs third-parties have and whether they've been fixed.

"We know that some bug bounty programs do not get the attention they deserve," he says. "And we want our security researchers to increase the coverage they currently have for these apps and websites to make sure Facebook users remain secure even if the problem doesn’t stem from Facebook itself."

Facebook is also updating its bug bounty's terms of service to emphasize that participating hackers will always be protected from reprisal. In the case of third-party bugs found through active analysis, Facebook's bounty will now require that researchers submit proof that their methods were authorized under the third party's rules.

Gurfinkel says that while Facebook's security team finds many bugs on its own, often using tools like the company's code mapping tool Zoncolan, it also meets once a week to review and analyze reports submitted to the bug bounty. That group then uses those findings to update its bug-hunting arsenal.

"We want to make sure we get more eyes finding security vulnerabilities in Facebook," Gurfinkel adds. "And every time a security researcher reports a vulnerability to our program, we use the insights they provided us with to see if we can catch not just this instance of the report, but also the whole class of vulnerability."

Some large bug bounties are private and invitation-only, but Facebook will accept bug reports from anyone. This can make for a problematic signal-to-noise ratio at times, but Gurfinkel says it's well worth it to keep the program open and receive the most diverse, far-reaching array of bug submissions possible. In total, the bounty had about 700 valid submissions in 2018 and will likely surpass that number in 2019. But though all of Tuesday's changes seem positive, a bug bounty can only be one piece of a larger security strategy. Hopefully Facebook isn't compensating for something.


More Great WIRED Stories