Facebook and the bug hunters

Powered by SC Magazine
 
Page 1 of 2 | Single page

The sometimes dangerous business of vulnerability disclosure is becoming profitable.

Standing on stage at the Facebook F8 developer's conference in September, founder and CEO Mark Zuckerberg boasted that the social media site he invented in his Harvard dorm room back in 2004 – the same site which now has more than 800 million users – recently hit a milestone: Half a billion people used Facebook in a single day. 

There is no denying that the behemoth that is Facebook has become ingrained into users' everyday lives. But even giants can fall. If members believe the information they post on Facebook is unsafe, they will move on – plain and simple. 

This reality is not lost on those who work for the company. In fact, it's quite the opposite. Within the walls of Facebooks's headquarters in Palo Alto, exists a culture dedicated to providing users with a secure experience, says Joe Sullivan, the company's chief security officer. 

“Trust is fundamental,” Sullivan says. “That's something we think about every day. There is never a situation where the company trades off security for something else. If there is a security issue, we drop everything and deal with it.” 

One of the necessities in running a web presence used by hundreds of millions of people each day is ensuring its code is free of errors – security vulnerabilities – that could allow an attacker to gain access to private accounts. By any measure, coding errors are extremely prevalent, not just in websites spanning the internet, but also in commercial computing products and custom-developed systems. 

“Vulnerabilities are dangerous, and people outside of the [computer security] industry aren't aware of how many latent vulnerabilities there are in products they use every day,” says Dino Dai Zovi, an independent security consultant who started bug hunting to find such issues in 1999, and who has disclosed flaws in products made by Apple and Sun Microsystems (now owned by Oracle).

While Sullivan estimates that hundreds of employees across Facebook work on security issues, there are two primary groups dedicated to preventing, finding and fixing vulnerabilities. The platform integrity team, within the software engineering department, works to ensure that every single engineer in the company follows secure-coding practices. Then, the six-person product security team, which is part of the security department Sullivan manages, works to “poke holes” in the code that has been created, scouring it for vulnerabilities. 

In addition to the internal holes, the company also calls on external auditors to review code for weaknesses before it is released online. 

And, to ramp up its efforts to find holes that could be abused by attackers, Facebook recently followed the lead of several other major web companies – including Google and Mozilla – to launch a so-called “bug bounty” program. Such initiatives offer independent researchers monetary incentives for the private disclosure of vulnerabilities and exploits. 

Since rolling out the program in July, Facebook has already doled out $70,000 to researchers around the world for the discrete disclosure of 72 vulnerabilities, all of which have since been fixed, Sullivan says. 

“I think it is a good thing to have more people testing our site, and I believe that because we launched the program we have encouraged more people with expertise in security issues to help us,” he says.

Landscape shifts 

The bug bounty programs of today represent a significant evolution in the historically fragile relationship between researchers who find security issues and companies whose products are affected. In the late 1990s and early 2000s, most large companies didn't have a defined process for dealing with reports of vulnerabilities coming in from the research community, Dai Zovi says. 

“At best, they would ignore you,” he recalls. “At times, they were hostile and threatened researchers with lawsuits.” 

The idea to begin paying researchers for vulnerabilities initially came from the vendor community. The first such initiatives were the Vulnerability Contributor Program (VCP), launched in 2002 by security firm iDefense (now owned by VeriSign), and the Zero Day Initiative (ZDI), founded in 2005 by TippingPoint (now owned by HP). These programs remain the top players in the commercial bug market today.

The most important shift in the vulnerability disclosure model occurred when software makers themselves started offering bug bounties, Dai Zovi says. “Vendors are switching from passively receiving reports to actively soliciting them,” he says. 

Mozilla, maker of the popular Firefox web browser, began such a program in 2004. The company provides monetary rewards for the private disclosure of bugs classified as “critical,” or “high” – its most severe ratings designated for flaws that could allow an attacker to install malware without user interaction, obtain confidential data from a user's machine, or cause a denial of service requiring extensive cleanup or reinstallation of the operating system. Since launching the program, Mozilla has received somewhere between 150 and 160 bounty-eligible bugs, and thousands of others that are lower in severity, says Brandon Sterne, a Mozilla security engineer. 

Considering some companies still try to deal with security flaws internally and don't welcome bug reports from the research community, Mozilla, along with a number of other companies with such programs, are undoubtedly ahead of the curve,.

Facebook, too, has traditionally encouraged researchers to notify the company directly about security problems.

“We haven't sued anyone or reported anyone to law enforcement who has reported a vulnerability to us, nor do we intend to,” Sullivan says. 

In fact, the social networking site advanced its bug solicitation efforts after Sullivan's team spoke with professionals at other companies with established bug bounty programs and received positive feedback. Facebook now offers at least $500 for privately disclosed flaws that may “compromise the integrity or privacy of Facebook user data.” For a particularly bad flaw, the company has given $5,000. 

Just two months after the project was launched, Sullivan says he is “astonished” by how impactful it has been. It has enabled Facebook to build relationships with researchers from all over the world. The top two bug finders so far have been a college student from the United States and an individual in Turkey, both of whom have already been paid at least five different times, totaling between $5,000 and $10,000 each, Sullivan says. 

Further, the bugs that are being disclosed are flaws for which the company wouldn't normally have been looking. And, the initiative has proven to be an invaluable recruitment tool. 

“We had one person who asked us if they could have admission to the F8 conference instead of receiving the bounty,” Sullivan says. “We flew them out to San Francisco and scheduled them for a series of engineering interviews the next day.” 

Next: The flip side

Copyright © SC Magazine, US edition


Facebook and the bug hunters
Flickr
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1441

Vote