News

High-impact bugs reported to Facebook are up 38 percent

By admin
Spread the love

Facebook and Google have released figures for their bug bounty programs. Facebook reports that it received a total of 13,233 security alerts. Google says it handed out more than $2 million in rewards, without commenting on the total number of reports.

Of all the reports Facebook received in 2015, 526 were correct, according to the social network. For this, Facebook rewarded 210 security researchers with a total of $936,000. Most of the money went to researchers from India, Egypt and Trinidad and Tobago. On average, they got $1,780 for reporting a bug.

One of Facebook’s key findings is that there is less and less “low hanging fruit,” or bugs that are easy to find. Problems with things like cross-site scripting and cross-site request forgery are becoming less common, which the company says is due to the systems maturing. Of all the bugs found, 102 submitted suggestions were labeled ‘high impact’. This means that there were 38 percent more high-impact bugs than in 2014. Facebook attributes this to the quality of the bug reports on its bug bounty blog, among other things. The step-by-step instructions provided are better, making errors and problems more reproducible, along with possible risks that the bugs may pose.

Another trend Facebook is seeing is reports being provided by security researchers that focus not on single bugs, but on the overall business logic. This allows Facebook developers to address entire classes of vulnerabilities at once. Facebook also points out a few ‘highlights’. For example, it was possible to apply csrf via messenger.com because the entire protection against it was not working. Within minutes, the company received 15 bug bounty reports.

Google paid out $2 million in 2015 to more than 750 individuals and more than 300 others. Android was added to the Security Award Program in June 2015. Google has already paid more than $200,000 to participants in this program. A security researcher even received $37,500 for a bug.

Last year, Google also started a program to pay researchers who have already discovered bugs in advance, even without coming up with a new problem. These so-called VRP grants vary between $500 and $3,133.7. The company also reports the first success that came from this grant. A Russian researcher discovered a bug in YouTube Creator Studio that allowed anyone to remove any video from YouTube just by changing the URL parameter. In addition to the grant, the researcher received 5000 dollars for this.

The bug bounty programs do not always generate positive noise. Recently, a researcher discovered a security vulnerability on an Instagram server, after which he, after receiving a reward, continued his search, found errors again and reported them to Facebook. Facebook thought that the researcher went too far.

You might also like
News

MacOS Sequoia 15.3.1 is out: what’s new for your Mac?

News

iOS 18.3.1 is out (and this is why you have to update)

Apps

Apple launches invitations app (and that is reason for a party)

News

Rumor: Apple is working on its own applications based on a large language model

News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products