Facebook locks in on bounties for security

Can the volunteer White Hats of hacking protect the world's most popular social networking site from the Black Hats?

Ryan McGeehan, head of Facebook's security response team, apparently thinks so. In a post on the questions-and-answers site Quora last month, McGeehan wrote: "Facebook Security's bug bounty program ( launched last July) has been hugely successful so far and we've gotten great feedback from our active researchers."

He continues: "To date, we've paid out over $300,000 to 131 researchers (in 27 countries) and have one researcher coming on board as an intern this summer."

Facebook typically pays its rewards with "White Hat" debit cards. The researcher hired to work as an intern is Brown University junior Neal Poole, who as of last December had reported about a dozen vulnerabilities to Facebook, reports Brian Krebs of the blog KrebsonSecurity.

Paying bounties for bugs is not a new idea. Google launched its own program in February 2011, and announced this past February that it had paid $410,000 to friendly hackers.

[See Bill Brenner in Salted Hash: Why Boba Fett would work for Google]

Robert O'Harrow Jr. noted in a Washington Post story on zero-day attacks last week that the security firm TippingPoint began offering bounties to hacker researchers in 2005, calling it the Zero Day Initiative.

"Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero-days," O'Harrow wrote. "Starting at hundreds of dollars, the bounties soar into the tens of thousands. A hacker in Shanghai named Wu Shi has earned close to $300,000 for reporting more than 100 flaws in web browsers."

And Andy Greenberg, writing in Forbes last week, said Google has increased its maximum bounty for reporting a single bug in its web services to $20,000, more than five times its previous maximum of $3,133.70.

But is even $300,000 enough to keep promising hackers from the dark side in the long term? That apparently remains to be seen. Thousands of hackers working for mostly modest bounties to prevent cybercrime on popular sites suggest that it is.

In the world of international hacking and mega-companies like Facebook, however, the bounties look like small change. Even if Facebook is only worth a quarter of the $104 billion estimated at its IPO, $300,000 doesn't even amount to a rounding error.

"Facebook's and Google's rewards for vulnerability information likely can't compete with a more lucrative black market for bugs intended for actual offensive hacking rather than defensive fixes," Greenberg wrote. "Both the French firm Vupen and an exploit broker who goes by the handle The Grugq (said) Google's rewards pale in comparison to the prices governments pay for the same information with the intention of spying on users' machines."

McGeehan does not appear to be worried. "Historically, bad guys have always been known to backstab each other," he wrote. "They frequently discover each others' bugs and secretly disclose them to us for a bounty. Even worse, they'll 'sell' a bug on a black market, then turn around and disclose it to us to double dip on both the bug and the bounty. When the buyer complains about the bug being fixed, the seller will feign ignorance and claim that FB found and closed the bug independently."

"Turning the blackhat marketplace sideways has been a personal joy for me since we launched our program," McGeehan wrote.

Robert Siciliano, CEO of IDTheftSecurity.com, said while there are risks to such programs -- the possibility of "[prompting] a bidding war between the companies themselves and criminals" -- he believes it has value.

"This seems to be part of a layered approach," he said. "These companies could employee full-time pen testers, and probably do, but there is so much talent out there that this crowd source [method] is both cost effective and a means to an end."

Siciliano also has faith in the goodness of human nature. "Inherently people are good," he said. "Otherwise we wouldn't have civility at any level. People want to help."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about BillFacebookGoogleTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

More videos

Blog Posts