Skip to main content

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps


Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform.

Last year, Facebook launched "Data Abuse Bounty" program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users' data and passing it off to malicious parties, violating Facebook's revamped data policies.

Apparently, it turns out that most of the time, Facebook users' data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services.

The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase.

Because of this communication gap between researchers and the affected app developers, Facebook's security programs for 3rd-party apps and websites were, until now, just limited to "passively observing the vulnerabilities."

Though Facebook already once expanded its bug bounty program for 3rd-party apps late last year, the scheme was only limited to valid report submissions for the exposure of Facebook users' access tokens that allow people to log into another app using Facebook.

Efforts to Encourage Collaboration b/w Hackers and Developers


Now, to encourage third-party app developers to take the security of their apps more seriously and set up a vulnerability disclosure program, Facebook has decided to pay white-hat researchers from its own pocket even if app developers don't have their own bounty program.

"Although these bugs aren't related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users' data potentially being misused," Facebook says.

"We also want to incentivize researchers to focus on apps, websites, and bug bounty programs that otherwise may not get as much attention or may not have resources to incentivize the bug bounty community."

"By committing to rewarding valid reports about bugs in third-party apps and websites that impact Facebook data, we hope to encourage the security community to engage with more app developers."

In other words, app developers can take advantage of this program by simply setting up their own vulnerability disclosure policy, which would then help researchers to be eligible for finding bugs in their code and claim rewards from Facebook.

That's because a report of a vulnerability in third-party apps submitted to Facebook will only be considered valid when researchers include proof of authorization granted by the third-party developer when submitting their reports to Facebook's bug bounty program.

However, if the third-party developers already have their own bug bounty program, researchers can claim rewards from both parties.

Reward from Facebook will be issued depending upon the potential impact and severity of the responsibly reported vulnerability, with a minimum payout of $500.

Bug bounty programs for data abuse and 3rd-party apps affecting the whole ecosystem are a growing trend in cybersecurity. Most recently, Google also expanded its Pay Store bounty program to reward hackers for finding bugs in any Android app that has more than 100 million downloads.

Source : The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...