Hacker News new | comments | ask | show | jobs | submit login

I really think 10,000 for serious exploits like these is just not enough money. Even if OP only spent an hour or two on finding this out (although highly unlikely), they should pay based on seriousness/potential damage of the bug. Great writeup though. Super interesting stuff.

common response to why companies don't pay a ton of money for these exploits [1]

[1]: https://news.ycombinator.com/item?id=11249173

And I still think that line of thinking is bullshit.

The bottom line is that the dollar value for this stuff is arbitrary, and Facebook arbitrarily picking $10,000 for getting COMPLETELY OWNED and exposing any selection of personal data (in the case of the other bug, this one seems to have the potential to be even worse due to credential stealing, although it's murkier) is pretty gross IMO.

I don't know what the number should be - again, it's arbitrary - but in my personal book $10,000 is about 10x too low.

Facebook didn't get COMPLETELY OWNED. A third party product they were using for some backend line of business process that lived in a DMZ got COMPLETELY OWNED, and the researchers were unable to escalate privileges beyond it.

In parens, I said I was referring to the linked discussion, which was about a researcher that had access to any FB account. IMO that qualifies as TOTALLY OWNED. The only thing worse would be a full dump of every account.

I agree this one is murkier, although at first glance the proxy method employed by the "mystery adversary" seemed promising for privilege escalation.

Doesn't Facebook's policy prohibit privilege escalation? The write the following:

You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.) [0]

It's no wonder other bounty researchers didn't find further vectors for exploiting their privileges. There was a researcher not too long ago hit by the book for this.

[0] https://www.facebook.com/whitehat

That's an oversimplification. What actually happened was: a researcher found a serverside bug in a random backend box, got RCE, logged in, scraped and banked all the creds off the box, reported the bug, and then a month later during a dispute used the creds he stored to attack other Fb properties.

Dumping directories from machines and banking their creds isn't "escalating privileges". If you did that on a pro red team project, saving the creds to use a month or two later, you'd get fired.

The case (or however one wants to construe what or how things really happened) isn't too interesting to me. Do you read FB's whitehat rules of engagement differently?

I dug up the mentioned case, and FB's first contact with the researcher included, "Please be mindful that taking additional action after locating a bug violates our bounty policy." Between FB's whitehat policies and that, I'd be pretty sure not to escalate privileges.

Me too.

Given that a vulnerability may be exploited by a malicious party and that this could cost facebook X millions of dollars: How much should facebook pay for vulnerabilities to reduce the risk of Such an event? That is, given some cost/benefit model what is the ideal price for a particular class of vulnerability?

This suggests two related questions, 1. how does buying vulnerabilities reduce the risk of a malicious use of a vulnerability and 2. by how much?

I suggest two answers for question 1:

First buying a vulnerability and then patching it prevents that vulnerability from being used by an attacker. It only makes sense to do this if vulnerability are very rare, since the more rare they are the greater the benefit of fixing them.

Second someone who discoveries a vulnerability might have a human urge for recognition and/or payment. "I did the work, I deserve some credit/payment". In this case facebook is competing with the vulnerability blackmarket, but facebook has an inherent advantage (all things being equal a legal dollar is more beneficial than an illegal dollar and you get bragging rights which has both intrinsic and monetizable value).

I have no idea how to answer question 2 as it is quantitative. Perhaps an economist has written pricing models for bug bounties and how this should impact cyber-insurance premiums?

Major companies do not store most information on most humans in 1st/2nd class countries.

For the love of me I could not imagine what implication o huge hack into facebook could have on the civilized world. Imagine someone has a database of all emails with all activities all connections, on everything everybody in America Europe and Asia does.

The ability to spam people into oblivion would be just a tip of an iceberg. Most likely countries like UK or Germany would ban facebook altogether. Not to mention there are millions of active credit cards stored in their wallets. The implication of a hack at that scale would mean hundreds of millions of dollars spent on only printing new plastic cards for affected cardholders.

For $10,000 you cannot even buy a modest 80" TV... I am disappointed how little FB values their system to be secure, but oh well... who uses FB anyways /sarcasm

>> And I still think that line of thinking is bullshit.

You haven't given any real refutation to the comment linked by the parent. How qualified is your opinion? You're entitled to it, but know that most bug bounty participants and members of the actual security industry disagree with you.

My refutation is in the linked discussion.

And I'm reasoning from economic first principles, not experience in the field. From first principles, I don't understand the argument that $10,000 is fair. At least, I don't understand that argument any more than why $10 is fair - which is my point, that it's arbitrary. And in my arbitrary opinion, $10,000 is grossly low compared to the relative work involved and money at stake.

The FBI just paid $1M to access one guy's iPhone. The vulnerability in the linked discussion, which was guaranteed access to any FB account, was a $10,000 bounty. IMO those numbers need to be a lot closer together.

Edit: $15,000

The usual way to evaluate this is to consider the chance of being discovered (D) times the chance of being used as an exploit (E) times the cost of the exploit (C) with an appropriate discount factor (F). Think of the discount as the wholesale price of the exploit, what a mal actor might pay for the exploit.

For example, if there was a 1% chance of discovery, and a 50% chance of the person discovering it using it as an exploit, and it cost them 1 day of revenue ($50m) and they used a discount factor of 10%, that would indicate that the bounty would be worth about C * D * E * F = $25k.

If it's likely that the exploit would only last 5 hours, then $10k is a reasonable bounty.

> Cost of revenue

That itself is pretty vague to determine as a hack could have an impact on reputation and the impact might not be limited to just one day. Future users might be afraid to use the product, current users might leave in few weeks.

Which is ironic because "impact on reputation" is quite vague itself.

That was my point, actually. My poor english is to be blamed if it wasn't clear :)

"Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?

The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software."

I think that statement might apply here given the FTA issues. Hackers could've gotten plenty mileage out of it. Especially if others at Facebook, like their AI team, used it for something that's a trade secret. That's speculation but it's not like hacking a news feed.

Its not just the value to the finder but the cost to facebook. Generally the profit an attacker makes is an order of magnitude less than the cost they incur.

Good point. That should be factored in.

I guess the only way to find out if that's true is to try and use the black market first?

Good luck with that. "The black market" isn't buying vulnerabilities in 3rd party serverside components at Facebook.

Seriously! Especially for a company as big as facebook!

I'd say $25,000 at least. It's a number I've seen a few companies cite for full-scope, penestration tests. Usually to sell their products they make the real money on. :)

I'd have to say that it's pretty clear Facebook isn't offering enough, otherwise the first guy through the system would have claimed it.

Oh yeah, I'm just trying to determine a number that would makes sense. Another angle to look at is what black market would pay for whatever level of access. Might need official bounty to be a good fraction of that or equivalent to get more of the 0-days from black market. There's also balancing the cost of straight-up, security staff vs the bugs others are finding. Maybe just pay good consulting to people with experience that you rotate in and out to find stuff others overlook with bounties paid based on effort and significance.

Many possibilities. This was worth way more than $10,000, though, given it detected a subversion. I'd have applied the consultant to a few other areas of my operation given the aptitude.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact