Facebook today announced it paid out $936,000 to 210 security researchers for 526 valid reports in 2015 as part of its bug bounty program. The company has now given over $4.3 million in rewards to more than 800 researchers for making over 2,400 submissions since the program launched back in August 2011.
2015’s sum is actually lower than the year before, which was lower than the year before that: Facebook paid 321 security researchers $1.3 million in 2014 and 330 security researchers $1.5 million in 2013. While the number of submissions grew when comparing 2013 and 2014 (from 14,763 to 17,011), they were down even lower in 2015: Facebook received 13,233 bug bounty submissions from 5,543 researchers in 127 countries. Even the average payout was down slightly: from $1,788 in 2014 to $1,780 in 2015.
Facebook says there are two reasons why these numbers are down across the board, and why one number is up: 102 bug bounty submissions were classified as high impact in 2015, an increase of 38 percent over 2014. The company says that the quality of reports is getting better and that more reports are about business logic.
The former means Facebook’s security receives step-by-step instructions to reproduce the issue, sees attack scenarios in their reports, and gets reports that clearly prioritize a few important issues rather than many low-impact bugs. The latter translates into Facebook removing entire classes of vulnerabilities all at once, applying a researcher’s findings to the entire codebase.
Facebook highlighted three bounties for 2015:
- Messenger Web missing CSRF protection site-wide: when messenger.com launched, it had a problem in the CSRF check that rendered it ineffective, site wide. Within minutes of the launch, we received 15 bug bounty submissions about this behavior and were able to fix it quickly. Jack Whitton, who was the first to report, got a nice bounty and wrote about it on his blog.
- Abusing GraphQL search to make inferences against hidden data: Philippe Harewood noticed that GraphQL search results allowed the person making the request to make inferences about data they wouldn’t otherwise be able to see. The detailed description of the technique is here.
- Site-wide CSRF bypass: Pouya Darabi found an endpoint that took an URL parameter from a GET request, parsed it as URL path and parameters, and then submitted a POST request to that path. As the POST request included a valid CSRF token, it effectively bypassed CSRF site-wide. Pouya wrote about it here.
Unlike the past two years, Facebook this year didn’t add any new properties to the scope of its bug bounty program (Oculus and Moves in 2015; Parse, Atlas, and Onavo in 2014). We therefore wouldn’t be surprised if the number of bounties and total payout to researchers decreased again in 2016.