FACEBOOK BUG BOUNTY SUBMISSIONS DRAMATICALLY INCREASE

페이스 북은 오늘 자사의 2013 제출 극적으로 증가보고 된 버그 현상금 프로그램을 , 그리고 그것의 다양한 속성에 심각한 버그를 발견하기 어려워지고 있다고 연구원의 보고서에도 불구하고, 소셜 네트워크가 중요한 버그에 대한 보상을 확대 할 계획이라고 말했다.

"심각도가 높은 문제의 볼륨 다운, 우리가 좋은 버그를 찾기 위해 거친 있다고 연구진의 의견입니다,"페이스 북의 보안 엔지니어 인 콜린 그린은 말했다. "가장 가치있는 분야에서 최고의 연구를 장려하기 위해, 우리는 우선 순위가 높은 문제에 대한 우리의 보상 금액을 계속 증가 할 것입니다.

Facebook today reported a dramatic increase in 2013 submissions to its bug bounty program, and said that despite reports from researchers that it’s becoming difficult to find severe bugs on its various properties, the social network plans to increase rewards for critical bugs.

“The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Facebook security engineer Collin Greene said. “To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”

Greene said Facebook paid out $1.5 million in bounties last year, rewarding more than 330 researchers at an average payout of $2,204. Submissions, however, skyrocketed 246 percent over 2012 to 14,763, he said. Most of those, however, were not eligible for a bounty; only six percent were rated high severity. Greene said that Facebook has been able to cut its response time for critical vulnerabilities down to six hours. Facebook also released geographic stats on its bug submissions, revealing that researchers in India contributed the largest number of valid bugs (136), while researchers in Russia earned on average more than anyone from the program, $3,961 (38 bugs). U.S.-based researchers, meanwhile, reported 92 bugs and were rewarded on average $2,272.

“Most submissions end up not being valid issues, but we assume they are until we’ve fully evaluated the report,” Greene said. “That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately.”

Most leading technology providers have some sort of vulnerability rewards program. Most, including Google, Yahoo, Github and others reward researchers for finding vulnerabilities in Web-based applications and services. Microsoft, however, is an outlier, paying significant rewards for bypasses of mitigations built into Windows and other Microsoft products.

These companies are in a constant tug of war with vulnerability brokers, exploit vendors and the black market, most of whom pay more for bugs than vendors. Microsoft, for example, has tried to narrow the gap with a $100,000 rewards for mitigation bypasses, but even a low six-figure payout may pale in comparison to what a less than scrupulous researcher could earn on the underground, for example.

Other legitimate programs such as HP’s Zero-Day Initiative offer six-figure paydays at events such as the Pwn2Own contest held in conjunction with the annual CanSecWest conference. This year’s contest paid out $850,000 with French exploit vendor VUPEN cashing in with close to a half-million dollars in prizes.

Facebook’s biggest payout was made in January to Brazilian engineer Reginaldo Silva who earned $33,500 for what Facebook called an XML External Entities Attack. The vulnerability could allow an attacker to read files from a Facebook server to another internal service and execute code. The bug caused Facebook to disable external entities across and audit the code for similar endpoints, Greene said.

“One of the most encouraging trends we’ve observed is that repeat submitters usually improve over time,” Greene said. “It’s not uncommon for a researcher who has submitted non-security or low-severity issues to later find valuable bugs that lead to higher rewards.”

To that end, Green said Facebook is giving researchers a new support dashboard where they can view the status of submissions. Also, the bug bounty has  now been extended to Facebook acquisitions Instagram, parse, Atlas and Onavo.