> The panel has determined your report did not meet the threshold for a reward or credit in our Hall of Fame. Thank you for reporting this issue and good luck with your continued bug hunting.
That always kind of rubbed me the wrong way. I found a similar bug in Facebook , though it used image size instead of the script tag. Like the OP, I was given $1000. It definitely made me feel a lot more favorable towards Facebook's security team.
Wouldn't such orgs (or their vendors) pay at least $1k to find the people they want? I don't know what the right formula is to calculate bounty vs. expected black market value, but you only said nobody would buy it at all.
It's worth finding and fixing these problems, and that's what happened here. It is not a significant economic event, though, and it would be a surprising departure from normal payouts on bounties to see this get much more money than it did. The only reason it was surprising Google didn't pay out for the same bug is that it's Google --- most sites would assign this bug $0.
Feels like a strawman.
You know what they say about selling - solutions, not features.
This isn't a 'cross-domain request' any more than Stackoverflow is a UI on top of 'select * from Questions order by Date desc'
It's a visitor identification system.
That said - I have no idea if this solution is something people will pay for. Especially given it needs an exploit that can be fixed once by one company and instantly sealed.
If you read how much effort is put into just reporting the bug, that will come close to a half month at least. Is $1000 half a security research's salary?
Is the idea that manipulating URL’s like that for the victim site amounts to unauthorized use of their computer, hence CFAA stuff?
Just curious how an expert would draw the line between black hat SEO and TOS violations and actual illegal acts.
I guess the difference is between exploiting it yourself vs selling it. There was a clear path to monetisation that didn't require selling the exploit on the black market, and which could well fly under the radar (from my reasonably well educated SEO POV).
However, I don't think bug bounties necessarily need to equal the 'market value' of the bug, whatever that means.
Generally just my logic would be: selling bugs for which there's an established market is safer than selling one-off bugs to idiosyncratic buyers.
However, it doesn't cover the aspect that some bugs are directly monetizable without needing to be sold (as was the case with my Google XML Sitemap exploit).
Of course, there is a risk to directly monetizing such a bug too, but the risk calculation is then different.
They simply exist as a small incentive for folks who would have otherwise done nothing.
Looks like up to $30k per bug.
Sadly, it was before FB had a bug bounty program, so I didn't receive anything after I contacted them and they fixed the issue. I wrote about it here: http://blog.quaji.com/2009/07/facebook-personal-info-leak.ht...
Then Facebook started requiring a password to make changes to page administrators, but they never returned the page to him.
Perhaps browsers need to expand the potential effects of access-control-allow-origin.
It's interesting that there wasn't any rate limiting on this API, it seems like?
Someone finds exploit, gets the bounty, facebook fixes and we have a timeline.
Sounds like the system worked... are we looking for something else here?
No. But some people, myself included, are interested in this sort of thing.
It's also interesting to see the timescales of the fix. Posts like this demonstrate that the system worked, albeit perhaps a bit slower than we'd like to imagine.
Whilst the reports of bug hunting apparently within the scope of the bug bounty resulting in a legal team responding with a false dichotomy between an NDA or prosecution are particularly juicy, it's also nice to hear about the cases where that isn't the outcome.
But a 6-9 month time to fix seems really long (also I would have thought a $1000 bug bounty is low for this type of exploit...but then again I'm not in this space too much to know the average rewards).
Not to say that’s the way it is at Facebook, just what I’ve seen in the past.
I guess you'd have to consider Facebook's track record in terms of how charitable vs. cynical you want to be in interpreting their actions.