Softpedia >News >Security
Softpedia Homepage   

Over 100 Valid Bug Reports Received by Facebook in 2015

Company paid $1.3 million in rewards in 2014

Feb 26, 2015 14:25 GMT  ·  By
Number of bug reports increased in 2014 by 16%
   Number of bug reports increased in 2014 by 16%

Since the beginning of the year, security researchers submitted more than 100 valid vulnerabilities to Facebook through its bug bounty program, continuing the upward trend recorded in 2014.

The company says that last year the rate of bug submissions increased by 16%, having received reports for 17,011 glitches affecting its social networking platform and other services in its portfolio.

Out of these, 61 entries were confirmed as having a high severity level and were fixed by its developers. The number represents almost 50% more than in 2013.

India was top contributor in 2014

The total amount of money paid to external researchers for their security notifications was $1.3 / €1.15 million, almost half of what Facebook paid since the beginning of its reward program in 2011.

321 researchers from 65 countries were awarded, with the average bounty being calculated at $1,788 / €1,580. As for the total number of countries the reports came from, Facebook said in a blog post on Wednesday that it now reached 123.

At the top of the list is India, with 196 reports and a reward average of $1,343 / €1,190. Next came Egypt, with 81 bugs (pay average of $1,220 / €1,080), and the US, with 61 vulnerabilities (average reward of $2,470 / €2,186).

The company did not provide any information on the highest reward it paid last year, but it did say that the “top five earners last year collectively netted $256,750 [€227,400].”

Among the top vulnerabilities received by Facebook in 2014 there was hidden parameters input, which caused the backend code to receive multiple values for the same parameter, leading to “unintended effects downstream.”

Another one is related to Amazon Web Services, which could have an impact on other websites relying on S3 buckets to access content in the cloud. It consisted in an error in the regex that determined if an S3 bucket was legitimate or not.

The third glitch standing out touched on legacy REST API calls, causing a misconfigured endpoint to allow REST API calls on behalf of any Facebook user using only their user ID.