

Reading local files from Facebook's server (fixed) - franjkovic
http://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html

======
franjkovic
HN, I am wondering about your thoughts on the $5500 bounty. This is a bug that
affected third party system on Facebook's servers, and the network was locked
down. I could have gained access to resume analysis software and maybe resume
uploads themselves. There was a small to none chance I could get Facebook
internal code or binaries. So, was the bounty enough?

~~~
vertex-four
Did you report it to Facebook, rather than sell it on the market? Yes? Then it
was enough, by definition.

Honestly, resume uploads are unlikely to be worth much. The resume analysis
software either. What information there is worth anything to an unreputable
buyer?

~~~
kenko
It absolutely doesn't follow that it was enough. Someone might report it to
facebook rather than sell it on the market out of principle regardless of the
bounty, while still thinking that the bounty is way too low relative to the
severity of the issue. (What's more, the size of the bounty might be revealed
only after it's been reported.)

However, I'm unsurprised to find such reasoning on HN.

~~~
kogir
Actually, if the goal of a bounty program is to get reports instead of wild
exploits, the only metric of success is getting the reports. In the case that
someone would have reported it for reasons other than the bounty, the bounty
is not only too much, but completely wasted.

~~~
Too
How can you say it's completely wasted? This guy just blogged about getting
$$$ from facebook, and it hit the front page of HN. It might inspire others to
also report vulnerabilities. And conversely, if he was looking for bounties
and didn't get any there would instead be a front page HN story about facebook
_not_ paying bounties.

~~~
racontour
That only holds if those bug hunters who read this consider the payout fair.
Otherwise, they may decide not to spend time hunting on Facebook or may decide
not to report bugs found in favour of the black market.

------
zachberger
The temporary fix wasn't very user friendly. It was a plain text response
"Please try again later" when trying to upload a resume.

~~~
franjkovic
Yeah. In the 1 day timeframe between temp and permanent fix you could not
upload resume, which is a breaking change for end users.

But, I think it was pushed because it was Sunday and Careers team was not on
site to properly/permanently fix the bug.

~~~
themartorana
Well, they had to figure out what was going on with software from a 3rd party
vendor. That likely adds overhead.

But hey, I'd break all kinds of functionality temporarily to make sure this
exploit - which as is explained, _looked_ worse than it ended up being, wasn't
actually as bad as (or worse than) it _did_ look.

~~~
franjkovic
I agree with this, too. Personally, I would probably do the same. A day of
breaking small part of site vs killing local file read seems like a good
trade.

------
ceejayoz
I'm impressed with the fix turnaround.

------
2ddddd22
GJ Plit

------
styles
Did anyone else notice a user named Gopher? Go at Facebook?

~~~
zackboe
It's most likely for the Gopher protocol:
[http://en.wikipedia.org/wiki/Gopher_%28protocol%29](http://en.wikipedia.org/wiki/Gopher_%28protocol%29)

