Facebook bug bounty spend rockets - but has effectiveness increased?
A bumper year for Facebook bug bounty, as ⅔ of 2015’s total spend has been hit in the first half of 2016 alone. What has Facebook been doing right (and wrong), and what does it mean for your business?
Facebook has paid out an impressive $5m to researchers over the last five years for reporting bugs in its social-media, messaging, and hardware platforms. The social media giant began its bug bounty program in 2011, and now accepts and pays researchers bounties on a widening range of products, including Instagram, Oculus Rift, Free Basics, and as of this year WhatsApp.
Possibly this widening range goes some way to explaining a recent rise in costs. Facebook has paid out $5m to over 900 researchers in the five years, with more than $610,000 of that total going to 149 researchers in the first half of 2016, or 12.2 per cent of the total.
In March, Facebook paid researcher Anand Prakash $15,000 for reporting a bug that could have allowed a hacker to gain control of any Facebook account via a missing password security feature on a beta-testing site.
In 2015, the company paid out $936,000, and even more in previous years - it sent $1.3m to 321 researchers in 2014, and $1.5m in 2013.
So what has Facebook gained from its 5 year-programme and $5m cash investment (as well as an unknown cost in man-hours to wade through unsuccessful submissions, which hit 9,000 in the first half of 2016 alone)?
Well, it is probably more secure overall, certainly based on the example above, one of many potentially serious, brand-damaging vulnerabilities that have been closed by the programme. However, it’s not all been plain sailing, with a few political hiccups over the years - such as the Instagram bug disclosure/non-disclosure incident - which mainly highlighted just how rapidly the bug bounty process can go awry.
As Ilia Kolochenko, CEO High-Tech Bridge said at the time: “That Facebook bounty scandal is a good example of the trouble that can result when company and researcher have different visions on the scope of testing and related risks. You can specify conditions and criteria for vulnerability submissions as carefully as you like, but very few researchers will actually read them and even fewer will respect them.”
Facebook pledged then to learn from that incident, and learning is one of the main benefits the company has highlighted recently: “Five years of experience has helped us refine and strengthen many aspects of our program, and we heard from researchers that they appreciate our rewards, triaging, and quick fixes. But researchers also gave us ideas about how to make our program even better, so we are making changes to better support our bug bounty community”, said Joey Tyson, a security engineer on the Facebook Bug Bounty team in a blogpost.
“Our award notifications now include information on how the specific bounty was determined. We continue to make these decisions based on real (rather than perceived) risk and will share more details on the thinking behind each award. We're also preparing to share more educational resources on security fundamentals and topics specific to our products”, ended Tyson.
Clearly a certain amount of diplomacy goes a long way when running a successful bug bounty programme, and having a robust, understandable process on both sides of the reporting coin is essential. Processing, remediating and notifying are key elements of the mix, and even more important than they seem in terms of maintaining trust. As an aside, even Facebook might struggle with some of the remediation times posted on the non-profit open archive resource Open Bug Bounty - the current winner being patched in a minute.
Technically of course, bug bounty programs aren’t a security panacea in any sense, and it’s fairly clear that in spite of various corporations launching new programs very few of these huge corporates expect them to be.
As Kolochenko said: “Vulnerability testing methodologies should be proportional to your web infrastructure size, scope and, most important, its expected usage in production. If you are a large company with numerous publicly facing web applications available and designed for everyone – a bounty programme can definitely be a great added-value for your security arsenal. Otherwise, you'd be better spending your budget on traditional web security solutions, proper integration of S-SDLC, and mitigation of the most popular web application security risks”.