Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
>I think $5,000 is a joke
This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty.
Here is good comment on the topic of bug bounty rewards:
https://news.ycombinator.com/item?id=11249173
The bug was reported on December 8th, 2015 and fixed on February 18th, 2016 which is an unusually long time for Facebook. The bounty reached my account during the middle of March, but Facebook has recently changed their bounty payment processor to Bugcrowd, and now they have weekly payments.
I suspect franjkovic means that there's a queue of lump sums to get deposited to their respective owners, and payments in that queue get processed once per week.
The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.
It would be common sense to pay a bounty. Similar to the reward you should get if you find somebody's wallet. If you are known for not paying a bounty (a finder reward) some people will not tell you your security holes (will not give you back your wallet).
On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.
The options aren't just returning it or stealing it, they can simply leave it where it is to avoid the hassle of having to return it. Hence why having a custom of paying a reward might be beneficial for wallet losers in general.
I'd like to feel like people would be ethically and morally motivated to make efforts to do the right thing rather than expect to be rewarded for doing the right thing. Perhaps it is how I was raised, but it seems weird to me that I would turn in a lost wallet with expectation to get something back out of it. This so-called "custom" is not my custom. It actually seems very childish, where one is still in the phase of learning the importance of taking care of their neighbor.
Sure, but if I had heard several news reports of people finding and returning wallets being falsely accused of theft and subjected to serious legal threats, at that point if I saw someone's wallet lying around, I would just ignore it and keep going.
The bug bounty isn't only about the money. It's also the company's way of advertising 'we aren't crazy assholes like those outfits you heard about on the news'.
(Yes, fixing the law would be a good idea. But in the meantime, a bug bounty is the solution.)
I think I'm bikeshedding; the whole "finder's fee" nonsense bugged me. The analogy between lost wallets and servers doesn't actually hold. One can have thieves and indifference in both worlds, but the natures of the exposed items and victims are different. It is more acceptable to people -- though not any more right -- to figure that a faceless multi-million dollar corp can absorb a tiny theft/hit, but it is harder to allow pain to a relatable fellow human being. (...unless, of course, one is affected by bystander effect or pressured by authority)
Hassle free return, drop it in a mailbox. Leaving it is an option, but the custom of returning things to their owner exists because one good deed begets another.
I lost my wallet once and someone turned it into a nearby business, but with all the cash taken out.
Not sure if the finder or the business took the cash but I guess they got their own reward. Not what I would do, but I'm glad they didn't take the cash and trash the wallet..
You should always give one. Claiming it's an "insult" to thank someone for going out of their way to do something they didn't have to do (v. doing nothing or throwing the wallet out) sounds like an easy excuse to be cheap.
You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.
However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?
Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.
He is in Sweden. So definitely safer than being in India :-) Adding to that, I don't think bad guys from the computer world would go to great lengths to harm someone from physical world.
Being in Switzerland definitely helps, but still, India being a very big country it wouldn't surprise me if they had some really-bad-guys(TM) mafias capable of hurting people in other countries.
Of course, a small thing like this wouldn't necessarily pop up in their radars but still...
I guess part of the reason I think this way is because I live in a country where this is a real threat. Where posting things that real-bad-guys(TM) don't like can literally get you tortured and killed.
Ahhh.... yes... damn. Didn't do it on purpose. Sorry about that 0x424242. I am always getting those two mixed up, even in my mother tongue.
:(
I guess the point still stands as I originally intended it though. Again.. sorry for the confusion. Even though I know my geography reasonably well, my mind brings the word and my mouth or fingers say something else.
Not interact with other accounts without the consent of their owners.
Edit: whoops I mis-read this a bit, but the point still stands - he escalated using AWS keypair that did not belong to him, and he had no consent of the owner.
Thanks!
I reported the bug to security@ email, and one of your team's members replied on the same day (January 6th). Either way, good job on fixing this really fast. I wish more teams are as responsive as yours.
I believe the race condition is on the rise in terms of severity and importance. Developers are aware of common OWASP bugs, but this type of race condition is often overlooked and developers are going to NEED to be just as aware of. Way to go.
The bounty actually surprised me, too. I expected between $1000-$2000. That is one of reasons I like reporting bugs to Facebook - they pay really good, critical bugs are fixed really fast (<1 day).
It’s impressive that they are able to fix them so quickly – one needs to imagine they get a non-trivial number of reports, and that some majority of them are junk. They have a good triage + repro + escalation system.
Facebook puts out stats from their bug bounty program once a year. Most of bugs are invalid reports - in 2013 they had 14,763 reports, with 687 being valid.
They probably got a couple people working exclusively on bug bounty reports. I also have to say they did a great job changing communication channels from emails to tickets which show in /support/, it is way easier now. The downside is that you must have a Facebook account, not sure if it was needed before the change.
HN, I am wondering about your thoughts on the $5500 bounty. This is a bug that affected third party system on Facebook's servers, and the network was locked down. I could have gained access to resume analysis software and maybe resume uploads themselves. There was a small to none chance I could get Facebook internal code or binaries. So, was the bounty enough?
Neither here nor there regarding compensation, but if I were to describe this for the purpose of e.g. a resume, I do not think "I demonstrated a vulnerability allowing one to root a facebook.com server and thereby compromise any Facebook user" is an exaggeration. You're most of the way there, and while developing it further might be a fun exercise, from their perspective it should be a mostly forgone conclusion that you'll win.
Did you report it to Facebook, rather than sell it on the market? Yes? Then it was enough, by definition.
Honestly, resume uploads are unlikely to be worth much. The resume analysis software either. What information there is worth anything to an unreputable buyer?
It absolutely doesn't follow that it was enough. Someone might report it to facebook rather than sell it on the market out of principle regardless of the bounty, while still thinking that the bounty is way too low relative to the severity of the issue. (What's more, the size of the bounty might be revealed only after it's been reported.)
However, I'm unsurprised to find such reasoning on HN.
Actually, if the goal of a bounty program is to get reports instead of wild exploits, the only metric of success is getting the reports. In the case that someone would have reported it for reasons other than the bounty, the bounty is not only too much, but completely wasted.
How can you say it's completely wasted? This guy just blogged about getting $$$ from facebook, and it hit the front page of HN. It might inspire others to also report vulnerabilities. And conversely, if he was looking for bounties and didn't get any there would instead be a front page HN story about facebook not paying bounties.
That only holds if those bug hunters who read this consider the payout fair. Otherwise, they may decide not to spend time hunting on Facebook or may decide not to report bugs found in favour of the black market.
> What's more, the size of the bounty might be revealed only after it's been reported.
There's more than enough information on what Facebook tends to give out on various types of vulns. I wouldn't be surprised if there's a website out there that aggregates this sort of information. Even if you don't know precisely what you'll get, you'll at least have a rough idea.
> However, I'm unsurprised to find such reasoning on HN.
Honestly, as someone who is decidedly not a capitalist usually: either the bounty is a token "thank you", or it's a capitalist-minded attempt to get people to report vulns rather than ignore them or sell them on the market. In the former case, the amount doesn't really matter so long as it's not insulting, and in the latter, my argument that if it gets people providing vulns, it's enough, applies.
It's specifically not "payment", because payment-for-services requires that services were actually and specifically requested. It's a reward or a "thank you", and should be thought of as such - perhaps similarly to a reward for finding a lost kitten.
Parent's talking about the amount to achieve a goal, you're talking about what's fair. The two are valid, they just shouldn't be mixed up. The problem with the latter, of course, is that there's no objective measure, but you certainly can't assume the receiver is necessarily reasonable in his assessment.
