Trinidad and Tobago quite the bug-reporting hotspots, it transpires
Facebook security engineer Reginaldo Silva says Menlo Park has paid out $4.3m (£3.8m, A$6m) for more than 2,400 vulnerability reports submitted since its bug bounty began in 2011.
The payments made under one of the world’s most popular bug bounty programmes were sent to more than 800 researchers who sent in a variety of cross-site scripting (XSS), cross-site request forgery (CSRF) and business logic flaws.
Facebook last year paid out a little less than the previous year – $936,000 (£644,477, A$1.29m) – to 210 researchers who submitted 526 bugs.
The average pay-out was $1,780 (£1,225, A$2,489). India took the top spot, as it did the previous year, but Egypt and Trinidad and Tobago beat last year’s US and UK to the runners-up spot for receiving the highest number of payouts.
Silva says tools and frameworks are eliminating the easily spotted web application holes – leaving hackers to find and report business logic vulnerabilities.
“As the programme matures and traditional security issues like XSS and CSRF become more difficult to find, many of our top participants are focusing their research on our business logic,” Silva says.
“As Facebook grows, we’ve gotten better at protecting against traditional security issues very early in our stack, using tools and frameworks such as XHP and React.
“…the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook.”
Silva says the business logic flaws help Facebook apply rules to its code base and eliminate entire classes of vulnerabilities. The focus on high-quality reports and business logic flaws makes it easier for security wonks to evaluate vulnerabilities, too.
Facebook averages some $860,00 (£592,000 A$1,202) in payouts a year compared to Google’s yearly average of $1.2m (£826,300, A$1.7m) in payouts made since 2010.
Mountain View has shelled out more than $2m (£1.4m, A$2.8m) for 750 bugs submitted over the last 12 months, during which time it expanded its programme so that those submitting Android bugs would also be paid. ®
Building secure multi-factor authentication