White Hat Bug Reporting: How a Hacker Received $33,500 and a Job Offer by Facebook
Facebook is one of the major internet giants that award the “white hat bug hunters” who find security flaws hidden within the application code, and could compromise the security and privacy of the services they offer. These security researchers are known as “white hat” hackers and Facebook has an elaborate bounty program in place for the reports they send in.
Reginaldo Silva, an information security analyst from Brazil, found a serious flaw in the Facebook code back in November 2013, and reported it through the same bounty channel. This flaw, which Silva believed to be an RCE (Remote Code Execution) vulnerability, could compromise the security of Facebook’s servers by giving a hacker the ability to execute code on the servers remotely, and even grant him the access to spread viruses across the computer systems of Facebook users. After confirming that it was a legitimate report, Facebook agreed to pay $26,500 as a reward to Silva. This meant that he will be the highest-paid bounty hunter Facebook ever rewarded.
Apparently this amount was not enough for him, however.
He later found out that Facebook engineers did not consider the bug he reported to be of RCE nature. For this reason, he got back in touch with the Facebook security team and explained his findings in detail. This time, the officials realized the seriousness of the matter and raised the bounty amount to a whopping $33,500—and offered Silva a job as a ‘security analyst’ and ‘bug reports moderator’ at Facebook as well. Silva later detailed the bug and hunting process in a blog-post here.
Reginaldo Silva, who is a Computer Engineer from Brazil, works full-time as a bug scout and is famous for his discoveries with not only Facebook but elsewhere as well, specially Google, StackExchange, Microsoft, Netflix and Twilio and others. He currently sits at the sixth spot in Google’s 0x0A List, a compilation that recognizes the best bug reporters based on the volume, security impact and the number of security flaws they detect and report.
In a time where the threats to online resources and services are increasing exponentially, firms like Facebook have to put high-rewarding bounty programs in place to encourage (read: trick) security researchers into finding the bugs for them and reporting it back instead of selling these secrets to third parties. While this increases the competition, it also offers security analysts a higher incentive at earning big by reporting bugs and flaws to the firms themselves. Facebook reportedly paid $1.5 million to a total of 330 individuals and entities (small companies and groups of people working together) in 2013 for reporting legitimate claims at security vulnerabilities; Google, on the other hand, had paid out over $2 million by mid-2013 to its reporters.
Companies like Google and Microsoft have similar programs in place and reward the researchers big for doing their job for them. The amount of an incentive can vary according to the nature and scope of the bug; the minimum bounty amount set by Google is $100 and by Facebook is $500.
A number of talented Pakistani security researchers have also made their way to the Hall of Fame lists and earned through the bounty programs. One significant individual in this regard is Mirza Burhan Baig who has appeared at Google Application Security’s Hall of Fame and PayPal’s Honorable Mention lists, and was awarded $1500 for his bug report just this year, alongside a fellow reporter Muhammad Waqar. Other names from Pakistan include Rafay Baloch, Tayyab Abdullah, Ali Hasan Ghauri and many others.
The purpose of sharing these stories and names with our readers is to instill the fact that talent and skills, when coupled with motivation and used in the right direction, never go unrewarded. We’ll wrap up with a quote by Confucius:
“The will to win, the desire to succeed, the urge to reach your full potential… these are the keys that will unlock the door to personal excellence.”
–Image credits: SoftwareTestingHelp, G1 Globo, Mirza Burhan Baig (Facebook)