Marking the 10th Anniversary of Our Bug Bounty Program
Since 2011, Facebook has operated a bug bounty program in which external researchers help improve the security and privacy of Facebook products and systems by reporting potential security vulnerabilities to us. The program helps us detect and fix issues faster to better protect our community, and the rewards we pay to qualifying participants encourage more high quality security research.
Over the past 10 years, more than 50,000 researchers joined this program and around 1,500 researchers from 107 countries were awarded a bounty. A number of them, including myself, have since joined Facebook’s security and engineering teams and continue this work protecting the platform at Facebook.
Today, as we approach the 10th anniversary of our bug bounty program, we’re recognizing the impact the researcher community has had in helping protect people across our apps and we’re sharing two examples of reports that helped us find and fix important issues.
Earlier this year, we received two notable reports – one from a new researcher who joined our program this year, and another from one of the researchers at Google’s Project Zero. We quickly patched both bugs and, in both cases after deploying the initial fix, we did a follow-up review using a combination of automated detection and manual code review to add additional protections.
Content Delivery Network Bug Report Earlier this year we received a report from Selamet Hariyanto who identified a low impact issue in our Content Delivery Network (CDN), a global network of servers that deliver content to people accessing our platform around the world, where a subset of our CDN URLs could have been accessible after they were set to expire. As always, we rewarded the researcher based on the maximum possible impact of their report, rather than on the lower-severity issue initially reported to us.
Growing Our Bug Bounty Program
In 2011, our bug bounty program started off covering Facebook’s web page. Today, it’s grown to cover all of our web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace and more. As the threat landscape has evolved over the years, we’ve focused on three things:
We want to thank our bug bounty community for contributing valuable research over the past 10 years as well as everyone who contributed to the growth of our program in 2020.
Dec 01, 2020 at 01:12