Facebook locks in on bounties for security

Can the volunteer White Hats of hacking protect the world's most popular social networking site from the Black Hats?

Ryan McGeehan, head of Facebook's security response team, apparently thinks so. In a post on the questions-and-answers site Quora last month, McGeehan wrote: "Facebook Security's bug bounty program ( launched last July) has been hugely successful so far and we've gotten great feedback from our active researchers."

He continues: "To date, we've paid out over $300,000 to 131 researchers (in 27 countries) and have one researcher coming on board as an intern this summer."

Facebook typically pays its rewards with "White Hat" debit cards. The researcher hired to work as an intern is Brown University junior Neal Poole, who as of last December had reported about a dozen vulnerabilities to Facebook, reports Brian Krebs of the blog KrebsonSecurity.

Paying bounties for bugs is not a new idea. Google launched its own program in February 2011, and announced this past February that it had paid $410,000 to friendly hackers.

[See Bill Brenner in Salted Hash: Why Boba Fett would work for Google]

Robert O'Harrow Jr. noted in a Washington Post story on zero-day attacks last week that the security firm TippingPoint began offering bounties to hacker researchers in 2005, calling it the Zero Day Initiative.

"Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero-days," O'Harrow wrote. "Starting at hundreds of dollars, the bounties soar into the tens of thousands. A hacker in Shanghai named Wu Shi has earned close to $300,000 for reporting more than 100 flaws in web browsers."

And Andy Greenberg, writing in Forbes last week, said Google has increased its maximum bounty for reporting a single bug in its web services to $20,000, more than five times its previous maximum of $3,133.70.

But is even $300,000 enough to keep promising hackers from the dark side in the long term? That apparently remains to be seen. Thousands of hackers working for mostly modest bounties to prevent cybercrime on popular sites suggest that it is.

In the world of international hacking and mega-companies like Facebook, however, the bounties look like small change. Even if Facebook is only worth a quarter of the $104 billion estimated at its IPO, $300,000 doesn't even amount to a rounding error.

"Facebook's and Google's rewards for vulnerability information likely can't compete with a more lucrative black market for bugs intended for actual offensive hacking rather than defensive fixes," Greenberg wrote. "Both the French firm Vupen and an exploit broker who goes by the handle The Grugq (said) Google's rewards pale in comparison to the prices governments pay for the same information with the intention of spying on users' machines."

McGeehan does not appear to be worried. "Historically, bad guys have always been known to backstab each other," he wrote. "They frequently discover each others' bugs and secretly disclose them to us for a bounty. Even worse, they'll 'sell' a bug on a black market, then turn around and disclose it to us to double dip on both the bug and the bounty. When the buyer complains about the bug being fixed, the seller will feign ignorance and claim that FB found and closed the bug independently."

"Turning the blackhat marketplace sideways has been a personal joy for me since we launched our program," McGeehan wrote.

Robert Siciliano, CEO of IDTheftSecurity.com, said while there are risks to such programs -- the possibility of "[prompting] a bidding war between the companies themselves and criminals" -- he believes it has value.

"This seems to be part of a layered approach," he said. "These companies could employee full-time pen testers, and probably do, but there is so much talent out there that this crowd source [method] is both cost effective and a means to an end."

Siciliano also has faith in the goodness of human nature. "Inherently people are good," he said. "Otherwise we wouldn't have civility at any level. People want to help."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about BillFacebookGoogleTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts