Monday, 24 June 2013

FaceBook Reward $500 USD For Your Bug Bounty Info

FaceBook released on its security blog a bug  information  that unintentionally exposed some members' contact details.
Important Message from Facebook's White Hat Program
At Facebook, we take people’s privacy seriously, and we strive to protect people’s information to the very best of our ability. We implement many safeguards, hire the brightest engineers and train them to ensure we have only high-quality code behind the scenes of your Facebook experiences. We even have teams that focus exclusively on preventing and fixing privacy-related technical issues before they affect you.
Even with a strong team, no company can ensure 100% prevention of bugs, and in rare cases we don’t discover a problem until it has already affected a person’s account. This is one of the reasons we also have a White Hat program to collaborate with external security researchers and help us ensure that we maintain the highest security standards for our users.
We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.
Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.
We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.
We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again. Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.
We have already notified our regulators in the US, Canada and Europe, and we are in the process of notifying affected users via email.
We appreciate the security researcher's report to our White Hat program, and have paid out a bug bounty to thank him for his efforts.
If you are a security researcher, please review our responsible disclosure policy before reporting any vulnerabilities. If you are not a security researcher, visit the Facebook Security Page for assistance.
If you believe you have found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
Responsible Disclosure Policy
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Bug Bounty Info
To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Here is how it works:
Eligibility
To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy (above)
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure, such as:
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication (including Facebook OAuth bugs)
  • Circumvention of our Platform/Privacy permission models
  • Remote Code Execution
  • Privilege Escalation
  • Provisioning Errors
  • Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if it qualifies.
Rewards
  • Our minimum reward is $500 USD
  • There is no maximum reward: each bug is awarded a bounty based on its severity and creativity
  • Only 1 bounty per security bug will be awarded
Exclusions
The following bugs are not eligible for a bounty (and we do not
  • recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Denial of Service Vulnerabilities

No comments:

Post a Comment