> Companies always say they will investigate the full impact of a vulnerability when you follow the protocol they urge of "as soon as you find something, report it and don't try to escalate". But this is nearly impossible to do even if you're trying in good faith.
Disclaimer: I was a Security Engineer on the FB Security Team until last month and regularly attended the payout meetings :-)
I've seen plenty of bug bounty programs making such claims, but the Facebook program keeps up to this promise the most. Every bug is root caused to the line that caused the issue and assessed on maximal potential impact.
Sometimes that leads to cases where low impact vulnerabilities got paid out tens of thousands of dollars. The big bounty often came as a big surprise to the reporter :-)
So what do you think is going on in this piece (5 years old), where Alex Stamos characterizes the issue as "trivial and of little value"?
> Facebook has big pockets. As a bug bounty hunter, I'd not worry about being screwed by them. It's by far one of the best paying bounty programs.
I don't think the middle sentence is related to the other two. Every company I triaged for had deep pockets. I routinely saw payouts in excess of $1,000 and not uncommonly several thousand. I don't recall ever seeing one that hit $10,000. But what I'm describing above are ways for the company to screw the researcher without really being motivated by stinginess. Fairness is not a concern.
> So what do you think is going on in this piece (5 years old), where Alex Stamos characterizes the issue as "trivial and of little value"?
I sadly wasn't there at the time, and Stamos post doesn't refer to it at all. So I can't comment on this.
I guess the truth on this is just known to the researcher, their boss, and Stamos.
> But what I'm describing above are ways for the company to screw the researcher without really being motivated by stinginess. Fairness is not a concern.
That's a fair point, and I can see how representation can cause a significantly different payout decision, especially if there is no technical payout panel with a security background.
Phrasing something as "Reflected XSS" vs. "Account Take-Over via XSS" sounds undoubtedly different. But it is impact-wise probably the same.
The problem is mitigated at Facebook by having engineers in the payout panel that understand the tech stack and security implications. But I think many companies don't have that luxury, and you undoubtedly may end up with inconsistencies.
Thanks for sharing your perspective. Much appreciated!
Disclaimer: I was a Security Engineer on the FB Security Team until last month and regularly attended the payout meetings :-)
I've seen plenty of bug bounty programs making such claims, but the Facebook program keeps up to this promise the most. Every bug is root caused to the line that caused the issue and assessed on maximal potential impact.
Sometimes that leads to cases where low impact vulnerabilities got paid out tens of thousands of dollars. The big bounty often came as a big surprise to the reporter :-)
Just a recent example: a bug bounty hunter reported unexpired CDN links. After internal research, FB figured out to chain this into a Remote Code Execution and paid out 80k USD (https://www.facebook.com/BugBounty/posts/approaching-the-10t...)
Facebook has big pockets. As a bug bounty hunter, I'd not worry about being screwed by them. It's by far one of the best paying bounty programs.
There are many reasons to criticize Facebook or Instagram. But the handling of its application security should not be in the top 10 :-)