{"id":516,"date":"2021-12-15T17:00:28","date_gmt":"2021-12-15T17:00:28","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2021\/12\/15\/charting-the-future-of-our-bug-bounty-program\/"},"modified":"2021-12-15T17:00:28","modified_gmt":"2021-12-15T17:00:28","slug":"charting-the-future-of-our-bug-bounty-program","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2021\/12\/15\/charting-the-future-of-our-bug-bounty-program\/","title":{"rendered":"Charting the future of our bug bounty program"},"content":{"rendered":"

We\u2019re tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets. To the best of our knowledge, this is an industry first.\u00a0<\/span>
\nLooking toward the future, we\u2019re also launching new educational opportunities for researchers and hosting our first <\/span>BountyConEDU<\/span><\/a> \u2014 a three-day conference for university students across Europe interested in learning more about the industry.<\/span>
\nSince launching our bug bounty program in 2011, we\u2019ve received more than 150K reports, of which over 7,800 were awarded a bounty.<\/span><\/p>\n

Over the past 10 years, our bug bounty program has grown from only working with Facebook\u2019s website to covering all of our web and mobile clients across all of our apps, including Instagram, WhatsApp, Quest, Workplace, and more. As we build for the future, we\u2019re expanding the program to help combat the industry-wide issue of scraping and providing more opportunities for researchers.<\/span><\/p>\n

Here are a few highlights from the past decade:<\/span><\/p>\n

Since 2011, we\u2019ve paid out more than $14 million in bug bounties and received more than 150K reports, of which over 7,800 were awarded a bounty.<\/span>
\nWe\u2019ve paid out more than $250,000 in <\/span>Hacker Plus<\/span><\/a> bonuses since that program\u2019s launch in 2020.<\/span>
\nSo far this year, we\u2019ve awarded over $2.3 million to researchers from more than 46 countries.<\/span>
\nThis year alone, we\u2019ve received around 25,000 reports in total and issued bounties on over 800 reports.<\/span>
\nSince 2011, we\u2019ve received the most valid reports from India, the United States, and Nepal.<\/span><\/p>\n

From the beginning, we knew that our program needed to remain agile so that we could pivot in response to emerging risk areas. For example, to help crack down on instances of platform abuse after Cambridge Analytica, we launched the industry\u2019s first<\/span> Data Abuse Bounty program<\/span><\/a>, which rewards researchers who report misuse of Facebook data by app developers. After <\/span>a 2018 attack<\/span><\/a> that targeted access tokens, we launched the industry\u2019s first bug bounty for<\/span> third-party apps and websites<\/span><\/a> to reward researchers who find vulnerabilities that involve abuse of Facebook user data.<\/span><\/p>\n

As we look toward the future of our program, we\u2019re focused on expanding it to address new risk areas and launching new initiatives to recruit and retain researchers.<\/span><\/p>\n

New expansions to cover scraping<\/span><\/h2>\n

As scraping continues to be an internet-wide challenge, we\u2019re excited to open up two new areas of research for our bug bounty community. While we are only one piece of the larger puzzle when it comes to combating scraping efforts, we believe that the bug bounty community is an important element of our own work.<\/span><\/p>\n

Starting as a private bounty track for our Gold+<\/span> HackerPlus<\/span><\/a> researchers, our bug bounty program will now reward reports about scraping bugs. The goal of this program is to find bugs that attackers utilize to bypass scraping limitations to access data at greater scale than the product intended. Our goal is to quickly identify and counter scenarios that might make scraping less costly to execute. To our knowledge, this is the industry\u2019s first bug bounty program for scraping.<\/span><\/p>\n

In addition, we are expanding our data bounty program to reward reports of unprotected or openly public data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address, religious, or political affiliation. The reported data set must be unique and not previously known or reported to Meta. If the report is valid, we will make efforts with the relevant entity to remove the data set or consider legal means to address the issue. We will reward valid reports of scraped data sets in the form of charity donations to nonprofits of our researchers\u2019 choosing, to ensure that we are not incentivizing scraping activity. <\/span>See more details on this expansion.<\/span><\/a><\/p>\n

Recruiting and retaining researchers<\/span><\/h3>\n

Our program wouldn\u2019t be successful without the external researcher community. We know that bug bounty researchers are in high demand, and want to make sure that our program remains rewarding. However, we also know that bug hunting can be a transient career path, with researchers sometimes transitioning in and out of programs. For this reason, we also want to help cultivate a more sustained interest among new and existing researchers.<\/span><\/p>\n

Educational opportunities<\/span><\/h3>\n

Some of our longtime researchers have told us that they are interested in more educational opportunities to expand the surfaces and products they can hunt on \u2014 especially as certain bug areas are notoriously difficult to transition between, for example from software to hardware bug hunting.<\/span><\/p>\n

We\u2019ve designed our annual conference, BountyCon, to include sessions run by <\/span>our top researchers. In these sessions, they discuss practical techniques and approaches for discovering and reporting critical vulnerabilities across surfaces<\/span> for other researchers to learn from. <\/span>Next year, and pending travel restrictions, the conference will take place in May in Singapore and will be co-hosted with Google.<\/span>\u00a0<\/span><\/p>\n

We noticed at BountyCon that when researchers worked together to submit bugs, they not only found higher-impact bugs but also learned from one another about their different focus areas. To support this kind of teamwork and learning, this year<\/span> we released a collaboration feature<\/span><\/a> for researchers who want to submit joint reports to our program.<\/span><\/p>\n

Later this year, we will also launch a dedicated education center to help quickly onboard bug bounty researchers onto different products and technologies so that they can cut down the time it takes to hunt new areas for bugs.<\/span><\/p>\n

Supporting the next generation of bug hunters<\/span><\/h2>\n

In addition to engaging the researchers that currently participate in our program, it\u2019s also important that we help usher in future generations of bug hunters. In February, we\u2019ll host<\/span> our first BountyConEDU<\/span><\/a>, a conference in Madrid for university students from all over Europe. This three-day conference will allow them to learn more about bug bounties and how to hunt for bugs, as well as to form teams to test Meta products for valid vulnerabilities. <\/span>We\u2019re excited to take our lessons from this event to find ways we can create similar learning opportunities around the world.<\/span><\/p>\n

We want to thank our bug bounty community for their great research and <\/span>everyone who contributed<\/span><\/a> to the growth of our program. As always, we appreciate feedback on how we can make our collaboration even more effective. We look forward to our continued work together to keep our platform secure!<\/span><\/p>\n

The post Charting the future of our bug bounty program<\/a> appeared first on Engineering at Meta<\/a>.<\/p>\n

Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"

We\u2019re tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets. To the best of our knowledge, this is an industry first.\u00a0 Looking toward the future, we\u2019re also launching new educational opportunities for researchers and hosting our first BountyConEDU \u2014 a three-day… Continue reading Charting the future of our bug bounty program<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-516","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":610,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/20\/how-meta-and-the-security-industry-collaborate-to-secure-the-internet\/","url_meta":{"origin":516,"position":0},"title":"How Meta and the security industry collaborate to secure the internet","date":"July 20, 2022","format":false,"excerpt":"Bug hunting is hard and can sometimes go unnoticed across our industry. Building scalable bug detection methods across large codebases and open source libraries is an underappreciated yet critical effort every engineering company has to work through. Because the ideal outcome is that bugs are found and fixed before they\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":492,"url":"https:\/\/fde.cat\/index.php\/2021\/10\/20\/facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools\/","url_meta":{"origin":516,"position":1},"title":"Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools","date":"October 20, 2021","format":false,"excerpt":"Until recently, static analysis tools weren\u2019t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I\u2019m so proud to celebrate our engineering teams today for being awarded the IEEE Computer Society\u2019s Cybersecurity Award for Practice for\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":609,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/20\/using-hermess-quicksort-to-run-doom-a-tale-of-javascript-exploitation\/","url_meta":{"origin":516,"position":2},"title":"Using Hermes\u2019s Quicksort to run Doom: A tale of JavaScript exploitation","date":"July 20, 2022","format":false,"excerpt":"At Meta, our Bug Bounty program is an important element of our \u201cdefense-in-depth\u201d approach to security. Our internal product security teams investigate every bug submission to assess its maximum potential impact so that we can always reward external researchers based on both the bug they found and our further internal\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":615,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/28\/five-security-principles-for-billions-of-messages-across-metas-apps\/","url_meta":{"origin":516,"position":3},"title":"Five security principles for billions of messages across Meta\u2019s apps","date":"July 28, 2022","format":false,"excerpt":"At Meta, our messaging apps help billions of people around the world stay connected to those who matter most to them. This scale brings potential threats from criminals and hackers, so we have a responsibility to keep people and their data safe. We\u2019re sharing a set of principles to ensure\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":800,"url":"https:\/\/fde.cat\/index.php\/2023\/12\/07\/building-end-to-end-security-for-messenger\/","url_meta":{"origin":516,"position":4},"title":"Building end-to-end security for Messenger","date":"December 7, 2023","format":false,"excerpt":"We are beginning to upgrade people\u2019s personal conversations on Messenger to use end-to-end encryption (E2EE) by default Meta is publishing two technical white papers on end-to-end encryption: Our Messenger end-to-end encryption whitepaper describes the core cryptographic protocol for transmitting messages between clients. The Labyrinth encrypted storage protocol whitepaper explains our\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":263,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/minesweeper-automates-root-cause-analysis-as-a-first-line-defense-against-bugs\/","url_meta":{"origin":516,"position":5},"title":"Minesweeper automates root cause analysis as a first-line defense against bugs","date":"August 31, 2021","format":false,"excerpt":"Root cause analysis (RCA) is an important part of fixing any bug. After all, you can\u2019t solve a problem without getting to the heart of it. But RCA isn\u2019t always simple, especially at a scale like Facebook\u2019s. When billions of people are using an app on a variety of platforms\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=516"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/516\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}