[Air-L] Meta scraping bug bounty update

Joly MacFie joly at punkcast.com
Fri Dec 17 00:57:09 PST 2021 

https://engineering.fb.com/2021/12/15/security/bug-bounty-scraping/

*Charting the future of our bug bounty program*By Dan Gurfinkel - Dec 15
2021

   - We’re tackling the industry-wide issue of scraping by expanding our
   bug bounty program to reward valid reports of scraping bugs and unprotected
   data sets. To the best of our knowledge, this is an industry first.
   - Looking toward the future, we’re also launching new educational
   opportunities for researchers and hosting our first BountyConEDU
   <https://bountyconedu2022.splashthat.com/> — a three-day conference for
   university students across Europe interested in learning more about the
   industry.
   - Since launching our bug bounty program in 2011, we’ve received more
   than 150K reports, of which over 7,800 were awarded a bounty.

Over the past 10 years, our bug bounty program has grown from only working
with Facebook’s website to covering all of our web and mobile clients
across all of our apps, including Instagram, WhatsApp, Quest, Workplace,
and more. As we build for the future, we’re expanding the program to help
combat the industry-wide issue of scraping and providing more opportunities
for researchers.

Here are a few highlights from the past decade:

   - Since 2011, we’ve paid out more than $14 million in bug bounties and
   received more than 150K reports, of which over 7,800 were awarded a bounty.
   - We’ve paid out more than $250,000 in Hacker Plus
   <https://www.facebook.com/whitehat/hackerplus/> bonuses since that
   program’s launch in 2020.
   - So far this year, we’ve awarded over $2.3 million to researchers from
   more than 46 countries.
   - This year alone, we’ve received around 25,000 reports in total and
   issued bounties on over 800 reports.
   - Since 2011, we’ve received the most valid reports from India, the
   United States, and Nepal.

>From the beginning, we knew that our program needed to remain agile so that
we could pivot in response to emerging risk areas. For example, to help
crack down on instances of platform abuse after Cambridge Analytica, we
launched the industry’s first Data Abuse Bounty program
<https://about.fb.com/news/2018/04/data-abuse-bounty/>, which rewards
researchers who report misuse of Facebook data by app developers. After a
2018 attack <https://about.fb.com/news/2018/09/security-update/> that
targeted access tokens, we launched the industry’s first bug bounty
for third-party
apps and websites
<https://www.facebook.com/notes/facebook-bug-bounty/introducing-rewards-for-reports-about-access-token-exposure/2247351778612369/>
to
reward researchers who find vulnerabilities that involve abuse of Facebook
user data.

As we look toward the future of our program, we’re focused on expanding it
to address new risk areas and launching new initiatives to recruit and
retain researchers.
New expansions to cover scraping

As scraping continues to be an internet-wide challenge, we’re excited to
open up two new areas of research for our bug bounty community. While we
are only one piece of the larger puzzle when it comes to combating scraping
efforts, we believe that the bug bounty community is an important element
of our own work.

Starting as a private bounty track for our Gold+ HackerPlus
<https://www.facebook.com/whitehat/hackerplus/> researchers, our bug bounty
program will now reward reports about scraping bugs. The goal of this
program is to find bugs that attackers utilize to bypass scraping
limitations to access data at greater scale than the product intended. Our
goal is to quickly identify and counter scenarios that might make scraping
less costly to execute. To our knowledge, this is the industry’s first bug
bounty program for scraping.

In addition, we are expanding our data bounty program to reward reports of
unprotected or openly public data sets containing at least 100,000 unique
Facebook user records that include information such as email, phone number,
physical address, religious, or political affiliation. The reported data
set must be unique and not previously known or reported to Meta. If the
report is valid, we will make efforts with the relevant entity to remove
the data set or consider legal means to address the issue. We will reward
valid reports of scraped data sets in the form of charity donations to
nonprofits of our researchers’ choosing, to ensure that we are not
incentivizing scraping activity. See more details on this expansion.
<https://about.fb.com/news/2021/12/expanding-bug-bounty-program-to-address-scraping/>
Recruiting and retaining researchers

Our program wouldn’t be successful without the external researcher
community. We know that bug bounty researchers are in high demand, and want
to make sure that our program remains rewarding. However, we also know that
bug hunting can be a transient career path, with researchers sometimes
transitioning in and out of programs. For this reason, we also want to help
cultivate a more sustained interest among new and existing researchers.
Educational opportunities

Some of our longtime researchers have told us that they are interested in
more educational opportunities to expand the surfaces and products they can
hunt on — especially as certain bug areas are notoriously difficult to
transition between, for example from software to hardware bug hunting.

We’ve designed our annual conference, BountyCon, to include sessions run by our
top researchers. In these sessions, they discuss practical techniques and
approaches for discovering and reporting critical vulnerabilities across
surfaces for other researchers to learn from. Next year, and pending travel
restrictions, the conference will take place in May in Singapore and will
be co-hosted with Google.

We noticed at BountyCon that when researchers worked together to submit
bugs, they not only found higher-impact bugs but also learned from one
another about their different focus areas. To support this kind of teamwork
and learning, this year we released a collaboration feature
<https://www.facebook.com/BugBounty/posts/4912374705443383> for researchers
who want to submit joint reports to our program.

Later this year, we will also launch a dedicated education center to help
quickly onboard bug bounty researchers onto different products and
technologies so that they can cut down the time it takes to hunt new areas
for bugs.
Supporting the next generation of bug hunters

In addition to engaging the researchers that currently participate in our
program, it’s also important that we help usher in future generations of
bug hunters. In February, we’ll host our first BountyConEDU
<https://bountyconedu2022.splashthat.com/>, a conference in Madrid for
university students from all over Europe. This three-day conference will
allow them to learn more about bug bounties and how to hunt for bugs, as
well as to form teams to test Meta products for valid vulnerabilities. We’re
excited to take our lessons from this event to find ways we can create
similar learning opportunities around the world.

We want to thank our bug bounty community for their great research and everyone
who contributed <https://www.facebook.com/whitehat/thanks/> to the growth
of our program. As always, we appreciate feedback on how we can make our
collaboration even more effective. We look forward to our continued work
together to keep our platform secure!


-- 
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-

More information about the Air-L mailing list