
How I got a $3,500 USD Facebook Bug Bounty - fransr
http://blog.detectify.com/post/39209711597/how-i-got-a-3-500-usd-facebook-bug-bounty
======
shimon_e
I submitted a report to facebook about privacy setting circumvention. Didn't
receive a response. Didn't receive a bounty. Facebook DID fix the bug after
some months.

Feel a bit cheated that a billion dollar company couldn't take the time to
respond... if I had the time I'd follow up with them.

~~~
ssclafani
To report a security or privacy vulnerability to Facebook use their Report a
Security Vulnerability form: <http://www.facebook.com/whitehat/report/> Anyway
else and you risk your report not being received.

~~~
shimon_e
I did.

------
killahpriest
Whenever people teaching others about security mention XSS, I've always
wondered does it really even happen in the real world? I'm sure everybody
escapes their input.

Turns out there's a reason XSS is so often mentioned. Even Dropbox and
Facebook fell prey to it (although in this case the input wasn't from the web,
but rather from their desktop application/service partner).

~~~
reginaldo
I recently found a pretty simple one on <https://accounts.google.com/>, which
is arguably Google's most valued domain. I believe XSS is the most common
vulnerability these days. One doesn't even have to be able to inject
javascript per se. Only a CSS style is enough in many cases.

~~~
TomAnthony
The bounty for that page is ~$10k or such, no? Did you get anything?

~~~
reginaldo
Actually it is $3133.7 (eleet). I got it, of course. The security team at
Google is, simply put, awesome.

------
gklitt
Props to Facebook for being so responsible about fixing this bug. After seeing
so many blog posts about companies not responding to emails from whitehats
finding XSS vulnerabilities ([http://www.troyhunt.com/2012/08/why-xss-is-
serious-business-...](http://www.troyhunt.com/2012/08/why-xss-is-serious-
business-and-why.html)), it's comforting to see someone take such reports
seriously.

~~~
rmc
This is the point of responsible disclosure. Tell the company, wait a week or
whatever, if they do nothing, then it's ethnical for you to tell the world.

------
tommi
I bet Blackhat Vulnerability Program would've payed lot more.

~~~
tptacek
For XSS? No.

~~~
xSwag
With CPA + FB traffic on such a large scale, one could easy make $50k+ in a
week with multiple CPA networks.

~~~
tptacek
Knowing what little I do about the market for browser code execution
vulnerabilities, I am very skeptical that there is a black hat market that
pays 5 figures for XSS.

------
jbverschoor
lol.. I found a bug in paypal which allowed me to transfer funds from one
account to another, even though this was prohibited.

I got nothing. Maybe next time I'll just post this stuff for random people on
twitter to find

------
tomjen3
Wauw, so all that happens if you save dropboxs ass is that you get a special
mention on their special page that very few people know about?

Why even bother to tell them then?

~~~
tptacek
Well, one obvious answer would be, "don't bother to tell them".

Of course, it's hard to think of what else you might do with a Dropbox web
finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities.
For one thing, vulnerabilities that do have markets tend to have patch
lifecycles longer than "instantaneously fixed as soon as target finds out
about vulnerability".

You can also choose to publish on your own website. This buys you not a whole
lot more than just informing Dropbox, except to signal to the professional
market that you will go out of your way not to help people like Dropbox when
you find a bug.

Nobody in the whole wide world is obligated to do free research for Dropbox.
That's not what pages like these are meant to imply.

~~~
tomjen3
Thanks for the illumination. I don't have any specific issue with dropbox, I
am just tired of doing free work for coorporations in return for a small
increment in some integer in some databse (hn, reddit or /. karma) when that.
Increment isn't worth either money nor is going to get me laid.

------
tokipin
wait facebook has like millions of bugs -.- though maybe UI glitches aren't
considered bugs

------
wilfra
I submitted an error (and a solution) in their open graph docs that caused a
bug if anybody copy/pasted the code from their site. The error was fixed
within hours, however I never got any money or even an email :(

~~~
JoachimSchipper
It's more of a " _security_ bug bounty". I'm sure they appreciate your fix,
but that's not really the point of the program. ;-)

(This is quite clear from <http://www.facebook.com/whitehat/bounty/.>)

------
robmcvey
BAM!

