
Facebook paid $4.5K for disclosure of my user account exploit - yvoschaap2
http://www.yvoschaap.com/weblog/facebook_values_the_privacy_of_its_billion_users_at_4500
======
ig1

       Churchill: "Madam, would you sleep with me for five million pounds?"
     
       Socialite: "My goodness, Mr. Churchill... Well, I suppose... 
                   we would have to discuss terms, of course... "
    
       Churchill: "Would you sleep with me for five pounds?"
    
       Socialite: "Mr. Churchill, what kind of woman do you
                   think I am?!" 
    
       Churchill: "Madam, we've already established that. 
                   Now we are haggling about the price”
    

You're either a black/grey hat or a white hat. Either you're a white hat and
believe selling to malicious hackers is fundamentally wrong and you wouldn't
do it at any price, or you're a black hat waiting for the right price.

The purpose of reward schemes is to reward white hats, not to compete with the
bad guys for the black hat discoveries.

~~~
shawabawa3
> Either you're a white hat and believe selling to malicious hackers is
> fundamentally wrong and you wouldn't do it at any price, or you're a black
> hat waiting for the right price.

That sentence is such a false dichotomy it's hard for me to take you
seriously.

Is it evil to want to feel appreciated for your work? The message facebook is
sending is that they honestly don't care if you find huge, potentially costly
security holes in their software and go out of your way to let them no.

edit: It seems from reading other comments $4500 is actually quite reasonable.
I was basing my comment on the author saying it was a "paltry fee".

~~~
meritt
Facebook is doing the right thing here. Very few companies have a responsible
disclosure policy, much less a reward system.

You take a huge risk even notifying companies of a security flaw you found,
since that usually implies you were doing unauthorized penetration testing and
they'd have a case against you under the oh-so-wonderful CFAA. Or they'll just
ignore you completely and never patch the flaw.

------
Irregardless
Less money = less incentive = fewer disclosures = less secure.

Facebook is abusing the good will of white hats by offering such trivial sums,
and they're reducing the security of their platform in the process. They have
how many $100k+ engineers who couldn't find this? And how much does the
average security breach cost per record, $100-$200? This exploit alone could
have exposed them to millions in losses at that cost.

This is what turns white hats into black hats, and I wouldn't blame the guy
for selling his next exploit rather than disclosing it. A famous guy once said
"we create our own demons". And then the guy in Iron Man 3 said it. And now
I'm saying it.

~~~
tptacek
"Trivial sums"? This is squarely in line with what Google pays for
vulnerabilities. Who is paying drastically more for website flaws?

And, because you think the thank-you Facebook offered was too low, you
_wouldn't blame him_ for selling vulnerabilities to criminals? Really? Selling
vulnerabilities to criminals is itself a crime.

~~~
dkokelley
> Who is paying drastically more for website flaws?

Black hat markets, presumably. At least that is the point being made by
commenters here. Granted, selling the vulnerability is illegal and immoral,
but that doesn't stop it from happening. The 'market rate' for vulnerabilities
seems to be higher than what Facebook and Google are paying out.

~~~
tptacek
Why do you "presume" that? Not all vulnerabilities are equally valuable, and
the value for a vulnerability is not as straightforward as people here seem to
think it is. Or at least, I don't think it is.

~~~
dkokelley
I use the word "presume" because I don't frequent black hat markets and I have
no personal experience with current pricing. The general agreement I'm seeing
in the comments (and anecdotes gathered elsewhere) is that exploits and
vulnerabilities command a higher price when sold to black hats rather than
responsibly disclosed through a bounty system. (Isn't this what the
grandparent and article are implying?)

This makes sense economically to me. In order for it to be worthwhile for a
vulnerability discoverer to sell the exploit, the reward should overcome the
cost. In this case, the cost is the probability of getting caught multiplied
by the severity of the punishment.

------
jrochkind1
I think many people reading this get a sort of uncomfortable feeling thinking
about 'white hat' security researchers receiving bounties for disclosure -- it
sounds a bit like extortion, especially when people talk about "wondering how
much more you can get elsewhere."

But at the same time, the reality is that we're in somewhat of a security
crisis. Businesses responsible for the security and privacy of our personal
information and identities are clearly not in fact capable of protecting those
on their own. (In part because it is a very hard task). They need help. And
they're not going to get enough help purely from unpaid volunteers.

In a more reasonable world, the government would have armies of 'white hat'
hackers trying to find security holes (they surely do), and then _telling the
effected about them_ (they definitely don't, they keep them instead for their
own use). Because that would result in increased security for us all, isn't
that in theory the mission of police agencies, increasing our security?

~~~
tekacs
Unfortunately or fortunately, I think much of the world would disagree with
you and argue that such behaviour would be 'meddling' and gross overstepping
by the government, right now.

Perhaps this sort of governmental 'help' would be possible in the future, but
right now it seems that such behaviour would almost certainly result in cries
that we had entered into a police state. :/

Edit: he notes that when he says 'we', you and I are almost certainly not in
the same nation state. :P _shrug_

~~~
Retric
I don't see it a much different from the fire chef telling you how many people
can occupy your building. FAA inspecting aircraft matence schedules, FDA
inspecting a slughterhouse, the fed keeping track of a banks balancesheets or
thousands of other areas where private companies interests are not aligned
with the public.

~~~
taf2
There are and will be growing pains as this becomes reality... for example,
there would be unintended consequences one might even imagine one such as:

" you get fined for hosting ogv videos because they're deemed unsafe and the
FCC decides you should be fined per video that is not an MPEG format... after
all these unsafe video's hurt people real people "

So, yeah the government could be a good vehicle for helping to secure our
internet, but it could also have unintended consequences of preventing growth
and innovation under the guise of "security" e.g "fear"

------
epenn
_...intrigued by the bold sentence on Facebook's security researcher page
"There is no maximum reward" I went out and started giving Facebook's code
another peak._

I'm not surprised that you feel this wasn't enough since it appears the reward
is your motivation for finding an exploit in the first place. The reward
shouldn't be viewed as payment for services rendered, but rather as a gesture
of good will for performing your duty of responsible disclosure.

 _Without the disclosure of whitehat hackers, like I did, these exploits can
also become available to dubious parties who could wreak (digital) havoc._

If you are truly a white hat then you aren't motivated by money. You are
principally motivated by wanting to make the world a better, safer place.
Since you're well-versed in computer security, that motivation will propel you
to apply that knowledge to the web (or really to any vulnerability) when the
opportunity presents itself.

If the reward is your motivation then at best this makes you a grey hat. You
did the right thing, but for the wrong reasons. Note that for the following
I'm not saying you personally will necessarily do this; but it would be easy
from that position to start treating the group of people who you're willing to
disclose a vulnerability to as a marketplace. Facebook will pay $4,500? Fair
enough. L33tBotNetHaxz0r will pay $20,000? Done.

If you're someone who possesses the skill to discover security
vulnerabilities, I think it's important to think through what your real
motivations are. Is it for the rush capturing the flag? Is it for the money?
Is it to help people? Your actions can affect many, so act wisely.

Edit: I should clarify that I mean that money can't be the _principal_
motivation for a white hat hacker. I believe it's fine as a secondary
motivation. I give an example in another comment below.

~~~
tripzilch
> If you are truly a white hat then you aren't motivated by money.

False.

> You are principally motivated by wanting to make the world a better, safer
> place.

Probably true.

That's not contradictory. And neither is wanting to disclose a vulnerability
responsibly, wanting Facebook to be secure against the vulnerability you just
found (even only because it affects you, your friends, family, people you care
about) and _at the same time_ feeling that $4,500 is a bit of a meagre bounty
for a find of some particular severity.

You can argue about whether $4,500 is, or is not, reasonable. But as you may
notice, it's not like he held the bug "hostage" threatening to sell it to the
black market otherwise, or even hinting at perhaps doing that the next time.

He can be wanting to make the world a better place (or Facebook a safer site),
and still be dissatisfied with the reward he got.

Even rationally: for instance, one could reason that even though they could
sell the bug for $20k on the black market, this could cause damage and harm to
innocent people on a scale (and with a _certainty_ , because they won't buy
the bug to just sit on it) that isn't worth the extra money he could gain (and
for people with a decent moral compass that threshold is passed easily without
even having to consider the risks of dealing with the black market etc). Then,
having come to this conclusion, one could say "Well, I did the right thing,
and I am disappointed that Facebook isn't offering more incentive for others
to do the same".

Also, the incentive is not _just_ for convincing people to give the bug to the
good guys instead of the bad guys. It's clear from the article that he spent a
deliberate and non-trivial amount of effort on finding this bug, he didn't
just stumble across it. This Facebook bug was found because they offered a
mystery prize, prompting him to search for a bug and dig deep, then he got
disappointed that the prize was less than he anticipated. It's not so much a
question of "will he sell it to the bad guys next", rather it's "will he
bother going through that much trouble again to help fix a flaw in Facebook,
knowing what the payoff will be?"

That said, my question: is $4,500 really too little? How much hours did this
cost him (times a price appropriate to his specialist knowledge, of course),
so how much should it have been, for doing the right thing? 2x, 3x this? I
don't think straight up matching it up to black market prices really makes a
lot of sense, there's too many external factors that make it a very different
deal.

~~~
__david__
> is $4,500 really too little? How much hours did this cost him (times a price
> appropriate to his specialist knowledge, of course), so how much should it
> have been, for doing the right thing? 2x, 3x this?

I don't think that's the right way to look at it—it's not a straight manual
labor thing ($/hour * hours = $). The question is, how much money is it worth
to Facebook to fix a potentially embarrassing vulnerability. For a complete
profile exposure type bug, I would expect that's more than $4.5K.

------
Gobitron
Much of the conversation here centers around the value of reporting to
Facebook vs. selling to black hat. This is the wrong paradigm to view this
issue through.

Taking the view that selling to blackhats is ALWAYS wrong, it may still make
sense for Facebook to pay significantly more to find vulnerabilities in their
system. A less vulnerable system is one with a competitive advantage, and I
think Facebook is missing an opportunity to tout their security credentials.

Let's take a back of the envelope calculation. Say instead of $4,500, they
paid each of the 66 people who submitted a vulnerability $50,000. And since
we're not halfway through 2013 yet, let's assume that in total 150 people will
submit valid security holes to FB this year. That's $7.5 million dollars paid
out.

Now, once word of a $50k payout gets out, say 10x the number of people try to
find vulnerabilities, and the success rate increases linearly. So Facebook
pays $75 million a year.

What are the benefits of this program? I'd say you get a few major benefits
vs. the current situation: 1\. You will definitely convert some blackhats away
from exploiting FB data in exchange for $50k legally obtained 2\. You convert
a lot of people currently looking for security exploits in Google, Amazon,
etc... to searching for FB vulnerabilities. 3\. As a result you have a much
more secure platform. 4\. You can leverage these payments through media and PR
to legitimately show that you care about security. 5\. You combat competitors
by touting a more secure platform.

$75 million is not small change when you look at FB's operating income, but
it's not going to break the bank either.

The point is that it may well be a rational decision on FB's part to offer
significantly more and it has nothing to do with the black hat market value of
the exploit.

~~~
pkfrank
This assumes a linear relationship between (Bounty for vulnerabilities) ::
(Identified outstanding vulnerabilities)

Presumably, one would see diminishing returns in the ability to find "low
hanging fruit" exploits, and thus the economics @ a $50k pay-out would be even
more attractive for Facebook.

~~~
kbenson
It's a market. As the vulnerabilities become harder to find, Facebook will
have to increase the payout to continue to find takers, if they view it as a
worthwhile investment (they may decide that since vulnerabilities are harder
to find the program has less merit, which I would disagree with).

------
yvoschaap2
I posted a more detailed description of the exploit:
[http://www.reddit.com/r/netsec/comments/1fe9mj/facebook_pays...](http://www.reddit.com/r/netsec/comments/1fe9mj/facebook_pays_45k_for_disclosure_of_my_complete/ca9ehfe)

------
tptacek
$4500 sounds about right for this vulnerability.

~~~
CJefferson
In what sense? I'm sure you could find people who would pay $20,000 to view
anyone's private photos.

~~~
tptacek
If you say so. Where would you find them? There appears to be a functioning
market for drive-by clientside RCE. The Interwebs seem to have interpreted
this as evidence that there is a market for all kinds of vulnerabilities. I am
skeptical that this is the case, and, unlike the RCE markets, I have no
evidence to suggest that the website auth bypass markets are real.

I suppose the ability to generate unbounded Facebook likes or Twitter
followers is monetizable.

~~~
mootothemax
_I have no evidence to suggest that the website auth bypass markets are real._

You could definitely contact your local firm of private investigators,
insinuate that "I can access anyone's FB account," and make a tidy sum from
doing just that.

Playing devil's advocate, admittedly, but there is still a very active market
for quite petty-yet-nasty stuff, e.g. land developer wanting to access email
accounts of local residents protesting against the plans.

Actually, you want weird? Thanks to my latest "seeking work" post on HN (and
"Hacker" appearing in the page's title), I had someone ask me to hack the
local authority computers responsible for registering peoples' deaths. This
was, apparently, in order to give his funeral director company a leading edge.

Does Matasano never get cranks asking for stuff of a similar nature?

~~~
tptacek
There's a difference between a functioning market for something and your
ability to one-off 1:1 contracts for things. Hyperbolic comparison: you can
also pay to have someone killed, but random people on the Internet don't have
access to a market for putting out hits.

------
joetech
$4.5k is decent. Were you expecting to get rich? There are contests where you
can rake in much larger amounts, and you could make a killing forming a
penetration team if money is the issue.

~~~
yvoschaap2
Yes, 4,5k is decent. But put that in perspective of type of data and content
Facebook exposed of its billion users.

And personally if Facebook's says "no maximum reward"
(<https://www.facebook.com/whitehat>) I was expecting something different for
a complete account access exploit.

~~~
ceejayoz
The $4.5k is intended as a "thank you" card, not a paycheck.

------
ronaldx
$4.5k is surely a small amount of money if they had employed someone to do
this kind of work.

However, since you the work was done for free the author had sunk the time and
risked getting $0 for it. Even if the author is inclined to go black hat,
there's a lot more (likely illegal) work to be done for author to extract
value from it.

As such, $4.5k is a good deal for the author - Facebook offered it knowing
that and author accepted it knowing that.

I don't think this remotely reflects Facebook's true value of privacy
(although this admittedly may not be high).

Facebook's only potential loss by making this offer is that it may make it
slightly less likely for talented people to work externally on white hat
exploits.

------
mag00
Hi - I built Facebook's Bug Bounty program with a few other FB folks. There's
a couple things I want to add to the conversation about how we look at
rewards.

(Also, in 2009 it was just myself and a couple others running our disclosure
program. It wasn't even bounties at that point. We'll get you a shirt, you can
pretty much just blame me for that.)

1\. We don't compete with the bug market, so our rewards will not look like
market prices. It's true that "Bad Guys" would pay enormous amounts for a bug.
They also pay a premium for the criminal risk being taken, and for the
opportunity to exploit it which will theoretically make them a lot of money.
However, we're good guys and we don't plan on profiting from bugs.

2\. You, the researcher, are safe to post and talk about the vulnerability you
found when Facebook is held to the disclosure policy. If your bug is extra-
awesome, we'll sometimes send a bunch of reader traffic your way from our bug
bounty page. This has shown to be worth a lot to researchers. Several of our
bounty hunters have started companies, gotten jobs, became internet famous
from this program and value this more than any bounty.

3\. We are pretty lenient on what qualifies as a bug, which means we have a
higher volume of payments to researchers than you might expect. If a
researcher showed amazing skill in finding something that didn't actually turn
out to be a bug, we'll probably reward them anyway because we want them to
keep trying. We are pretty lenient on duplicates as well. If we see that
someone truly discovered a bug independently (and also showed significant
skill discovering it) then they'll probably get a reward too. The theory here
is that we want more responsible disclosures instead of pissed off
researchers.

Overall I don't want to argue with the amount we rewarded here, but show that
we're doing a lot of stuff that's benefiting a lot of researchers. We're one
of the first companies to launch a bounty program, and most of the researchers
you have listed would probably say they think we're doing pretty well. Not too
many companies have a bug bounty program, and I'm really proud of ours! :)

------
Sujan
What's the point/argument of this article? That 4.5k is not enough money?

(serious question, not hating)

~~~
mischanix
The other market would pay orders of magnitude more for such an exploit.

~~~
tptacek
Do you _know_ that or are you just assuming that there's an effective black
market for all kinds of vulnerabilities, and not just drive-by clientsides?

~~~
mischanix
My bad, I didn't read further. I assumed this was server-side. After reading,
4.5k sounds right from Facebook, and while I'd imagine the other market price
to be higher, I don't think it'd be above 3x, much less 10x, without something
special (e.g. high-profile user data) accompanying it.

~~~
tptacek
It is serverside (most web app vulnerabilities are). I'm suggesting
serversides are worth much less than clientsides.

~~~
mischanix
What I meant is that the user needed to load a flash payload and be logged in
properly. The data harvesting happens client-side. The vulnerability itself is
server-side, yes, but computers are faster at copying data than engineers are
at figuring out what's going wrong. The data you could potentially harvest
with an exploit like this, given good planning and enough time to affect a
large amount of people, is definitely worth quite a bit of money. This
vulnerability could even have helped to make a very convincing phishing
attack, which, again, properly executed, leads to very valuable data.

It's not remote execution, but I still think it's valuable.

------
benjamincburns
Pricing 101: Goal: Get as much as you can from the thing that you're selling.

Purchase Negotiation 101: Goal: Pay as little as possible for the thing you're
buying.

To me what's funny about this is that if Facebook didn't pay the author at
all, we probably wouldn't be reading this blog post right now.

------
vinhboy
These bounties should be thought of more as an "award" than a "reward". In
this case, the author has received a great honor for his cleverness.

------
readme
$4.5k for spec work isn't that bad. They could've paid $0.

With that said, I keep my facebook account only for testing applications.

~~~
amirmc
But perhaps now there's a signalling problem. If you find an exploit of a
similar nature you can expect a mid-four figure sum from FB. Now if you're
feeling less than white-hatty you can wonder how much more you can get
elsewhere.

It's easy to say that FB could have paid $0 but if people knew that, it would
make "responsible disclosure" even less likely to happen.

~~~
readme
"Responsible disclosure" shouldn't be up to a financial incentive. It's up to
the law and basic ethics.

The real choice is between a 4.5k bonus or a subpoena. If you want to try the
other path, go ahead....

~~~
crazypyro
Actually its a legal gray area. The prosecution would have to prove that you
knew that you were selling to known criminals. This means you would have to
sell to someone that literally told you what they are going to use it for.

~~~
readme
Interesting. I think we can agree the alternative is the wrong choice, though.

Shouldn't have assumed the law was sound in this area... Given that it's not
usually sound in any..

------
cadab
I've been paid as part of their white hat program, $4.5k doesnt seem that high
compared to what i was paid for my 'exploit'. I picked up $1k for finding a
bug in their event invitations, a user could add friends to a private event
when using a mobile phone.

The fact that his exploit was getting actual private data from people, i'd of
thought he'd of been paid more. Thats not to say $4.5k isnt a lot of money,
its a very nice reward.

------
general_failure
I think many of the comments are just saying 'do not work for free. if you
work for free, do not expect big rewards'. I have to agree with that. So, OP
don't take it personally. All good work on your part but do not expect too
much for free work. That's the way the world rolls.

------
minimax
What is the actual black market value of an exploit like this? Is it in the
realm of $4,500?

~~~
tptacek
I think it's tricky to assess. There's a lot of support for the idea of high
black-market prices for drive-by clientside remote code execution. Those
vulnerabilities have a long half-life (because of the latency of patching) and
maximal value to attackers (collect zombies, snarf payment card information,
&c). Neither is true of website vulnerabilities.

For a vulnerability that can be instantly eradicated, everywhere, as soon as
the target finds out it exists? There might not be much of a market at all.

(I don't know).

~~~
tinco
I think if you market this as a way into any private account, think
celebrities, politicians, etc. You could catch quite a price if you wait for
the right buyer.

Think about what shady gossip newspapers pay paparazzi for breaking laws to
get intimate pictures. In the right hands this exploit could be worth tons.

~~~
tptacek
If you say so. I'm sure _somebody_ will buy anything. But the idea that
there's an easily-tapped market for Facebook vulnerabilities, similar to the
one for browser vulnerabilities? Like I said, I don't know. But I'm skeptical.

~~~
msellout
How would you sell the exploit? Your buyer would want to verify it works
before buying, but then you've already given it away. It's not like you could
enforce a contract on this.

~~~
tinco
You don't sell the exploit, you sell the hack. You could sell someone private
access to all facebook data of one person. Proving you have the ability is
easy, you can just show one image that is supposed to be private, and promise
the rest.

------
skizm
I'm not sure about the law in these situations. What happens if a hacker
(right now let's not label them black or white hat just yet) decides to tell
Facebook that hey know of an exploit which can gain access to anyone's account
given an email address. This is a monumental bug, obviously. Is the hacker
allowed to negotiate a price and then withhold the info if his demands are not
met? Or is this against the law?

I would guess as long as they doesn't use the exploit or sell it to some 3rd
party (nefarious or otherwise) then they should be safe, right?

~~~
tptacek
Nothing happens. He has the option of doing that. He can probably even use it
as a negotiating tactic; without "force, violence, or fear", extortion
probably doesn't come into the picture†, and my (IANAL) understanding is that
courts read the "fear" thing narrowly, like, "fear or force or violence".

What he probably can't do is threaten to sell the vulnerability to "black
hats"; you can't threaten to commit a crime unless you're paid a protection
fee.

† _Source: model jury instructions_

------
melvinmt
It's very simple. If you had a certain price in mind, negotiate the price
first, before delivering the service.

~~~
SpikeGronim
IANAL, but saying "pay me because I have a 0day exploit against your business"
is often construed as extortion. You can end up in jail for that. Consult your
lawyer before negotiating like this.

