Companies need all the help they can get to stay one step ahead of the next big security vulnerability, and sometimes that means relying on outside forces.
Bug bounties elicit security help and advice from independent hackers and security researchers usually in exchange for a cash reward. The hacker scours the site, discloses the vulnerability to the company, it gets patched, and the hacker pockets some money. Bug bounty programs have been around for a long time. But in recent years, they’ve become much more common.
Facebook has paid out millions in rewards to bug hunters over the years. Earlier this year, Anand Prakash, a security engineer from India, discovered and disclosed a major bug that would have allowed him to potentially access any account. He found that it was possible to make an infinite number of PIN attempts upon resetting an account if you’re using beta.facebook.com, the developer site for new features not yet rolled out to the masses.
“In-house testing does not compare with using the crowd, via bug bounties, in terms of effectiveness.”
“I was able to view messages, his credit/debit cards stored under payment section, personal photos and more,” he said. The discovery (which was promptly fixed) netted him $15,000, and there’s no evidence that the vulnerability was ever used by malicious attackers.
The bug itself is quite simple, but had severe implications, and somehow went undetected by Facebook’s own teams. After all, security pros are still only human, and a second opinion can make a huge difference. Which is why we’ve seen a bloom in bug bounty programs from major players like Facebook, as well as platforms to connect hackers with companies, like HackerOne and Bugcrowd.