
Is Facebook Bug Bounty Bogus?  - chr13
I didn&#x27;t think it was bogus until I found a Facebook  Bug nearly 2 months ago. It was a valid bug and I created a video like everyone else. I submitted the bug to facebook and thougth this would be a spammer&#x27;s dream come true if any spammers get hold of it. I thought they would fix it soon, but after 15 days I get a reply saying sorry for the delay and somebody will be looking into it soon. 
Now after more than a month since that email and nearly 2 months since the filing of the bug, I hear nothing. I check the bug and it has been fixed. I can tell it has been fixed because the form output has changed and there definitely has been a code update. 
May be they are deliberately causing this delay so that less number of bug will be revealed in media and they don&#x27;t look so bad ?
======
collingreene
I work at facebook on the bug bounty program, if you have an email, name or
ticket id I can look into it for you.

There could be a few things going on here, maybe your bug was classified as
low pri, maybe we misdiagnosed the bug.

Speculation but I would call into question your assertion that we fixed
something based on your submission and then attempted to hide/delay it. We
have not and would not do such a thing.

~~~
chr13
It may not be intentional but what about unintentional fixes ? What happens to
bugs that were valid when posted but fixed (unintentionally) right after a
release/code deployment.

~~~
collingreene
I need more information if you want me to look into this issue.

We have paid out on such issues before but there is no hard rule. In general
we err on paying out if there is any question. We have paid out before when a
submission wasn't a bug at all but lead us to some part of the code that we
ourselves then found a security bug in.

It is in our best interest to payout whenever possible. More payouts = more
submissions = more security bugs found and fixed.

~~~
chr13
I think the report number is 173358208.

~~~
collingreene
Cool, found it. Will respond in the email thread.

~~~
chr13
Thanks for the reply, that clears things up.

~~~
stevoo
for you yes ... for us no ! Can we know why you got no reply and no reward !

~~~
chr13
This is the excerpt from the reply

"Sorry it took a while to respond. It took us longer than normal because we
have had a few weeks of higher than average volume and this ticket was marked
as fixed but we hadn't corresponded back to you yet."

"This was indeed fixed by a separate diff that had been committed but was not
yet live when you submitted the issue. So in this case we didn't learn about a
new issue but we did double-check some of our assumptions around this stuff."

And I got a reward of $500. Here is the POC
[http://www.youtube.com/watch?v=x5HXv7nPgYo](http://www.youtube.com/watch?v=x5HXv7nPgYo)

------
whatcouldimean
Any bug bounty program suffers from tons of junk mail from people who copy
paste definitions from owasp and misunderstand whats going on.

Bug bounty programs are as legitimate as the company wants them to be by
providing the time of engineers to analyze the bugs and the funds to reward
researches. I don't think they can be bogus exactly, they are what they are.

Now, the reason they exist is because bugs have a value outside the bounty
program. So you, as a researcher, either have something you can profit from
(in which case the choice to report to the bounty is your personal choice and
there are others should you have to reanalyze) or you have a worthless
curiosity and you can't really complain that no one is giving you money.

It sounds like you spent time entering a 'marketplace' that you don't have the
capability to fully participate in, if you're all hung up on Facebook turning
over a reward.

~~~
chr13
You missed a key point, "responsible disclosure". Not only to the company but
to the public. I care less about whatever bounty they give or do not give.
They could just deny the bug but this lingering is too much. I like Google's
program where you have to wait x number of days and then you can disclose any
bug. I guess all I wish from these programs is that they fix the bugs fast
which is good for them. I did not spent time to enter anywhere. I was just
curious 1 day and played around for an hour or two. I guess you are assuming
too much about me and my capability and you cared so much as to create an
account just to reply to this post...meh :/

------
mattaustin01
I have had 5-6 bounty bugs answered in very short order.. this mush have
slipped thought the cracks.

