×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook To Pay Hackers For Bugs

timothy posted more than 2 years ago | from the scrabble-counts-are-always-wrong dept.

Facebook 54

alphadogg writes "Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook's security team first. The company is following Google and Mozilla in launching a Web 'Bug Bounty' program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they're truly significant flaws Facebook will pay more, though company executives won't say how much. 'In the past we've focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,' said Alex Rice, Facebook's product security lead. 'We're extending that now to start paying out monetary rewards.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

54 comments

First Post (1)

Anonymous Coward | more than 2 years ago | (#36929484)

Good step in the right direction.

*golf clap*

Re:First Post (-1)

Anonymous Coward | more than 2 years ago | (#36930208)

And I wonder whos paying who to shill the firehose and delete all the postings related to Apple having more money than U.S. [cnn.com]

News everywhere but not in slashdot, wow.

The others... (1)

Anonymous Coward | more than 2 years ago | (#36929492)

...like Microsoft/Adobe/Apple should take notice.

not a very smart thing (1)

Lead Butthead (321013) | more than 2 years ago | (#36929496)

no assurance the said hacker won't sell the information extracted during this "lawful" exercise "authorized" by F-book.

Re:not a very smart thing (3, Insightful)

lgarner (694957) | more than 2 years ago | (#36930322)

No assurance they aren't doing that already.

Re:not a very smart thing (1)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#36932302)

except of course for the assurances of logic that no such exercise was "authorized" by F-book until now when such authorization was broadcast by executives.

you're an idiot.

found one! (1, Funny)

girlintraining (1395911) | more than 2 years ago | (#36929504)

I found one! It's called the Zuckerbug. It appears the Zuckerbug is a kind of malware posing as a security solution, when in reality it steals your personal information which is then sold off.

Re:found one! (0, Troll)

Elbereth (58257) | more than 2 years ago | (#36929880)

That's so fucking witty!

I'm sure you'll be duly upmodded by the Slashbots, for repeating the groupthink that appears in every fucking Facebook story.

Re:found one! (0)

Ethanol-fueled (1125189) | more than 2 years ago | (#36930098)

Have you ever had your dick sucked by two mustachioed plumbers who happen to be brothers?

Do you want to have your dick sucked by two mustachioed plumbers who happen to be brothers?

Maybe one of them could sodomize you with his plunger until both ends of it are covered in shit?

In other words, Zuckerburg is an unscrupulous swindler disguised as a maverick merchant. Throw the fucker in the oven.

(does anybody here like me yet?)

Re:found one! (1)

bky1701 (979071) | more than 2 years ago | (#36930838)

Wow, complaining about modding? 'Slashbots'? Did you come up with that one yourself?

Oh wait. Of course not. I've only heard it a few hundred times before. Next time you accuse someone of 'repeating groupthink,' maybe you should at least attempt to hide your own lack of original thought.

Re:found one! (1)

Anonymous Coward | more than 2 years ago | (#36931198)

You have misunderstood. When someone speaks against groupthink they are always individual thinkers. It is not possible that a web forum would include more than one group of like-minded people.

Feel free to disagree but understand that that makes you a slashbot, as I am an individual.

Re:found one! (0)

Anonymous Coward | more than 2 years ago | (#36932194)

maybe you should at least attempt to hide your own lack of original thought.

Hey I'm a slashbot you insensitive clod!

Re:found one! (0)

Anonymous Coward | more than 2 years ago | (#36930750)

Fix: rape the bug and spit on him

iPhone app? (2)

kappa962 (1583621) | more than 2 years ago | (#36929514)

The website is infinitely more robust than their iPhone app. Their crappy app is the reason most of my friends don't use Facebook anywhere near as much as they used to.

If only ebay would do the same.. (2)

viking80 (697716) | more than 2 years ago | (#36929554)

..then we all would be rich. I have not seen any major destination with so many glaring front page defects. Ebay even came to my house, (3 use case specialists strong, and left me an ebay cap!), but no bug fixes as a result.

XSS (1)

TubeSteak (669689) | more than 2 years ago | (#36929576)

Facebook's security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three "actionable bugs," per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Sounds to me like Facebook would be better served reviewing their coding and auditing practices.
I mean.. one to three a week, do they not sanitize their inputs?

Re:XSS (2, Funny)

Anonymous Coward | more than 2 years ago | (#36930612)

Well, it WAS put together by PHP coders...

Re:XSS (1)

growse (928427) | more than 2 years ago | (#36931252)

Why would they sanitise their inputs, gIven that XSS is caused by output content encoding bugs?

Re:XSS (1)

MichaelKristopeit410 (2018830) | more than 2 years ago | (#36932400)

XSS is caused by cross site scripting which itself provides input to the site to exploit bugs in the system allowing such input.

you're an idiot.

Re:XSS (0)

Anonymous Coward | more than 2 years ago | (#36932712)

What? "XSS is caused by cross site scripting"? XSS *means* cross site scripting. And it "provides input to the site"? XSS is about tricking the browser, not the site, to execute code (though this is permitted by a programming error in the site). You clearly have no idea what you're talking about, not to mention you have no manners.

huh Google it? (0)

Anonymous Coward | more than 2 years ago | (#36929718)

So what? they are as lazy as 99% of their users.. just too damned lazy to Google it, just to see what holes it's 1% users are exploiting and have been for more than 3years..

Will they... (0)

Anonymous Coward | more than 2 years ago | (#36929854)

pay in Bitcoin?

This is delusional. (1)

liquidweaver (1988660) | more than 2 years ago | (#36929938)

And I do mean delusional, as in out of touch with reality. Facebook must think the people that create these exploits are either really stupid, they don't understand their audience, or this is a token gesture. $500 is ridiculous.

Re:This is delusional. (1)

gravyface (592485) | more than 2 years ago | (#36930114)

And as if that's enough money to shut them up too. They'll be zero-day'ed before the check clears.

Re:This is delusional. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36930166)

No, you're the one that's delusional. Believe it or not, people reported these even before today responsibly. Why? Because it's the right thing to do. The monetary incentive is there to encourage people to spend a bit more time looking.

Ask Lulz Security (0)

Anonymous Coward | more than 2 years ago | (#36930012)

They should ask Lulz Security to contribute, and donate the reward to Wikileaks.

I'm not kidding.

Cheapskates (1)

BeanThere (28381) | more than 2 years ago | (#36930130)

If a decent security programmer/expert earns say $50/hr, then this covers only 10 hours of work, and that ignores actual cost-to-company equivalent costs of hiring an expert (e.g. desk, HR, equipment, admin, accounting overheads, so it's actually closer to 5 or 6 hours worth of programmer time). Do you mean to tell me that if they hired an expert internally, they expert the cost of that expert equivalent finding a bug every 5 hours? This is highly patronizing, they are basically treating the security experts out there as children who are supposed to get excited wasting their time doing virtually-free work for the great Facebook just for the so-called "prestige". In fact, most will spend many hours and are likely to earn nothing. Facebook, hire some programmers out of your own damn pocket. Security experts, retain some dignity.

Re:Cheapskates (0)

Anonymous Coward | more than 2 years ago | (#36930232)

Hello rich Westerner. My name is Sabu Ramathnanajan. $500US will feed my family for a year. I will have more than enough dignity.

Thank you.

Re:Cheapskates (0)

Anonymous Coward | more than 2 years ago | (#36930320)

While I'm sure 500USD would be enough for a poor village men in a third world country, I'm not sure it would pay a programmer. I'm Brazilian and I live in Rio de Janeiro. My maid earns BRL80 per day, 1600BRL per month, around 1000USD. This if for my *maid*. It wouldn't be even close to find a programmer and much less a decent trained one. I'm sure the same is also valid for India.

If you can't beat 'em... (1)

LongearedBat (1665481) | more than 2 years ago | (#36930356)

...then make 'em join you. It's testing using cheap crowdsourcing. Very sensible, as those cracks would likely be used against them anyway..

first fix the stupid logic with SMS auth! (1)

galaad2 (847861) | more than 2 years ago | (#36930632)

i got locked out of my (rarely-used) fb account because i have login approval required via phone but no phone number defined on profile!!!!!!

This happened because i deleted my phone number from my public profile but i didnt mean to also delete it from the login security section. However, when i changed my public profile, their stupid site also deleted the phone number from the security login approval section too, while keeping active the mandatory login approval via sms.

That results in a catch-22 scenario, i cannot login until i get a sms with an auth code, but i cannot get the code since there's no phone number listed to send the sms to.

Since there's no phone number left to send sms to, and i don't currently have a device that's already authorized (i run ccleaner weekly to clear cookies and other crap) that effectively means their system gives me no other way to recover my account and they get to sit on and steal my private data without letting me have any say in it.

At least with Google's 2-factor auth sms security i have some printed recovery codes i can use, but they didn't give me anything :(

And they dont want to turn off the mandatory sms auth (or convert it to email-based auth) for accounts that no longer have a phone number listed. It's impossible to send a sms to a non-existing number.

As to my government-issued id, i'm NOT going to send that, because OF COURSE i didn't use the name that the government uses for me but i used the name most of my friends know me by. (and neither the DoB i used for sign up is the real one...)

i'd rather abandon my fb account (and maybe create another one, i can create all the email addresses that i want since i manage my own internet domains) than send my id (bearing my government-issued id number, similar in function to the SSNs) to who knows where in india/russia/other place. How would you feel if some stranger asked you to send your social security number and all other id info just because their own team is stupid and can't properly manage a login sequence?

Re:first fix the stupid logic with SMS auth! (1)

Anonymous Coward | more than 2 years ago | (#36931110)

Alright, so you filled out your profile with false information in violation of the ToS, couldn't go 3 clicks to find privacy settings to hide your phone number from others, and apparently don't have a computer with Facebook cookies from previous logins. Hard to say the blame is all Facebook's

Re:first fix the stupid logic with SMS auth! (1)

galaad2 (847861) | more than 2 years ago | (#36938366)

here in our country, the DoB forms a MAJOR part of the government id number/SSN (which is formed by appending a few numbers to the DoB numbers), so OF COURSE i wasn't going to let FB have my SSN, even if only part of it. The DoB that i used is close enough to the real one so as to remember my friends when my bday is, but it's not exactly spot on.

and as to the privacy settings for the phone number, FYI they were ALREADY set to "me only", but that doesn't mean crap to normal FB admins. The access rights to the login security usually require different administrative rights on FB than those rights needed by regular FB maintenance admins that can look at your private data (yes, even if you set it to "me only") but not at the login security auth data.

Here's a few big ones for free (3, Insightful)

dbIII (701233) | more than 2 years ago | (#36930724)

Here's some big ones:
Domain name time to live is only 30 fucking seconds! That means anything on the net looking for facebook rechecks twice a minute to see if it really is where it says it is. That's a lot of extra traffic but more importantly latency - a waste of everyone's time as their browser checks if facebook is still there and waits patiently back for the the news that facebook hasn't moved anywhere in the last 30 seconds. Because such stupid settings waste time and traffic RFC1035 requires a minimum of at least 300 seconds for TTL. Because nobody thought anybody would be so stupid facebook stopped working via a lot of web proxy software a few years ago until it was all patched especially for facebook.

Content is marked as being from the year 2000! That's a nasty hack to force web browsers to refresh as fast as they can - a big waste of space that is truly antisocial since there are a lot of broadband plans worldwide that have download limits.

Content that should be able to be cached is marked as non-cacheable! Maybe the page has changed, but has the facebook logo and a pile of other static content been redesigned in the last minute? Who cares - let's force the user to download it all over again and make it tricky for their ISP or company proxy server to cache it all! Let's make them pay more for their internet connection (download limits remember), add a lot of entirely useless repeat traffic to reduce the available bandwidth and increase latency with a pile of pointless host lookups.

Draconian workplace policies that ban facebook are not always there to stop people wasting time, they are sometimes there because facebook wastes a lot of network resources so it comes down to a choice of blocking a site that is buggy by design or paying for a better connection and still having to limit staff facebook use at busy times.

Re:Here's a few big ones for free (1)

Anonymous Coward | more than 2 years ago | (#36931092)

Uh... Facebook's DNS TTL is not 30 seconds. It's 1 hour (verified by running dig from hosts on two separate networks.
I just loaded Facebook's homepage twice. Outside of PHP scripts, on the second load every other resource used was either loaded from cache or 304-ed (i.e. browser asked server, and was told that its version was still current). Facebook does not want to waste data, but they don't want browsers to cache dynamic data, either.

Now I'm not saying that none of what you say was ever true, but just hat none of it is true now (outside of there being some stuff being marked as being from Y2k, but that's only stuff which IS dynamic (like the home page, which has a news feed in it).

Re:Here's a few big ones for free (1)

dbIII (701233) | more than 2 years ago | (#36931676)

Uh... Facebook's DNS TTL is not 30 seconds

Good to see they are finally getting something right instead of what they used to do. Google facebook plus squid to find some blogs listing why their behaviour caused problems - especially the insane TTL that gave you a choice of a fast web proxy or something that would actually let the user get beyond the facebook login.

As for the second point about caching, I'm not suggesting that you are making things up but if they are really doing that now it is something that has changed within the last six weeks or so when I was seeing the logs listing stupid amounts of refreshing with only about ten users on facebook at the time - even the logo was getting reloaded!

Re:Here's a few big ones for free (1)

Anonymous Coward | more than 2 years ago | (#36931448)

Thanks for the charity! I made $2000 today just for reading a /. post. Once again proving lurking around on /. is always worth it.

Why hackers? (0)

Anonymous Coward | more than 2 years ago | (#36930948)

Do they really need hacker for that? The fundamental idea behind Facebook is bugged!

Bad idea (0)

Anonymous Coward | more than 2 years ago | (#36931248)

Do not encourage them

Infact, use it as a honey trap and just report them.

Hackers are bad. Nuff said.

They should not be given jobs for their crimes either, who could trust them.

Not me.

I may just leave facebook now, if they are ENCOURAGING crime to hack my accounts.

Bye Bye facebook.

Scam (0)

Anonymous Coward | more than 2 years ago | (#36931458)

You don't get richer by cutting more checks. sure hack the website then contact facebook with your details so they can mail you the "check". by check they mean police to drag your ass to jail since you just sent them all the proof they need to collect your "prize".

Flaw in scheme (1)

GoodnaGuy (1861652) | more than 2 years ago | (#36931890)

There is an obvious flaw in this scheme. What if someone at google delibratley wrote a bug? He could tell a friend outside the company who would collect the bounty and then share it with him. They would end up basically paying their programmers to write bugs.

how much paid to the developer who wrote the bugs? (1)

MichaelKristopeit410 (2018830) | more than 2 years ago | (#36932334)

$500 is a joke considering the average software engineer is paid over $2,000 a week. does facebook need to save the money on product quality so they can buy more flat screen tvs on the wall to display simulated fireworks every time they get 1,000,000 users? i suppose now they probably run the animation every time they lose 1,000,000 users....

facebook should fire the individual responsible for the bugs and replace them with the individual proven to be capable of finding fault in the products delivered for consumption by the vast majority of the populace who have put trust in such products.

+1

There's a very serious bug (0)

Anonymous Coward | more than 2 years ago | (#36934350)

That "Like" thing appearing outside of Facebook.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...