Social media giant Facebook has awarded over $1.98 Mn to researchers from more than 107 countries for reporting bugs on the platform. India, Tunisia and the US were the top three countries based on the bounties awarded this year, the company has confirmed.
The amount has been awarded under Facebook’s bug bounty programme, which rewards researchers and cybersecurity experts for finding vulnerabilities of the platform. The company aims to use this programme to make its platform more secure and less susceptible to threats. A number of these winners also joined Facebook’s security and engineering teams.
“When we receive a valid report that requires a fix, we look not only at the report as it was submitted but at the underlying area of code to understand the issue in greater depth. Sometimes this proactive investigation leads us to discover related improvements we can make to better protect people’s security and privacy,” Dan Gurfinkel, Facebook’s security engineering manager, who was also a researcher that won the bounty, said in a blog post.
The programme was launched in 2011 and entered its tenth year in 2020. It has received more than 13,000 reports so far, of which 6,900 were rewarded as well. This year, Facebook received over 17,000 reports and issued bounties to over 1,000 reports.
The highest bounty ever, of $80K, was given to researcher Selamet Hariyanto for identifying a low impact issue in its Content Delivery Network (CDN), a global network of servers that deliver content to people accessing our platform around the world.
After fixing this bug, Facebook’s internal researchers found a rare scenario where a very sophisticated attacker could have escalated to remote code execution.
Besides Facebook, other companies also have a similar bounty programme to make their platforms safe. In some cases, independent research has come forward to highlight the security concerns otherwise as well.
Back in September, Uber had fixed a hacking bug found by Indian cybersecurity researcher Anand Prakash and paid him a bounty of $6,500. Prakash explained that the bug was an account takeover vulnerability on Uber that allowed attackers to take over any other user’s Uber account, including those of partners and Uber Eats users.
Similarly, an independent security researcher Ehraz Ahmed found a security flaw in telecom giant Airtel, which made sensitive user information of any Airtel subscriber vulnerable. Ahmed said that the flaw existed in one of their API. Interestingly, Ahmed has also published a proof of concept video of the flaw online to back his claim about the bug.
Meanwhile, Facebook also offers bounty to searchers finding flaws on Instagram and WhatsApp. Chennai-based security researcher Laxman Muthiyah found a bug in Instagram, which allows anyone to hack the popular photo-sharing social networking service. Muthiyah found that the same device ID, the unique identifier used by the Instagram server to validate password reset code, can be used to request multiple passcodes of different users.