Facebook Paid $2.2 Million In Bug Bounty Rewards In 2019
LINK ---> https://cinurl.com/2sXA7J
The payout guidelines provide insight into the process used by the company to determine rewards for certain vulnerability categories. Specifically, it provides information on the maximum bounty for each category and describes the mitigating factors that can result in a lower reward.
Vulnerability reward programs (VRP) or bug bounty sites are platforms that allow external cyber security professionals to report security threats to organisations. Tech industry leaders will use these platforms to offer massive rewards in order to keep their data protected.
In the Android Vulnerability Reward Program, Google paid out $1.7 million with 13 working exploit submissions alone, representing $1 million in exploit reward payouts. Among the notables were 11 reports about the Android 11 developer preview and a 1-click remote root exploit targeting modern Android devices, submitted by Guang Gong and his team at Alpha Lab, Qihoo 360 Technology co. Ltd.
Chrome VRP payouts were up 83% from 2019, with $2.1 million cash prizes handed out to researchers across 300 bugs in 2020. Meanwhile, the Google Play Security Rewards Program and Developer Data Protection Program paid over $270,000 to researchers. Google says COVID-19 tracing apps and apps relying on Exposure Notification API were also qualified to participate in the program this year. Google also increased the maximum reward for qualifying vulnerabilities to $20,000.
Apart from bounty rewards, Google distributed $400,000 in grants to more than 180 security researchers. Besides Google, other notable tech companies that also run similar bug bounty programs include Qualcomm, Facebook, OnePlus, Microsoft, Reddit, and Mozilla.
Google has also paid a whopping $8.7 million in vulnerability rewards. Security researchers of the firm have reported vulnerabilities not just in Android but also in Google Chrome, Search, Play and other products too.
Jacobus highlighted that the maximum reward was offered for vulnerabilities spotted on Android. In fact, the payouts doubled in 2021 from 2020 with nearly $3 million in rewards. Moreover, Google awarded the highest payout in VRP history in 2021 for an exploit chain discovered in Android that received a reward of $157,000.
Around 115 Chrome VRP researchers were rewarded for 333 unique Chrome security bug reports submitted in 2021, totalling $2.2 million in VRP rewards. Of the total $3.3 million, $3.1 million was awarded for Chrome browser security bugs and $250,000 for Chrome OS bugs.
Bug bounty programs allow companies to enhance their security by engaging a wider array of security researchers with diverse expertise [9]. Bug bounty programs are also cost effective. The bounty issuer only pays for verified exploits in a bug bounty. The issuer can also set the scope for analysis of different OSCs to focus on the top security concerns. In fact, the average cost of operating a bug bounty program for a year may be less than the cost of hiring two additional software engineers as of 2019 [10]. Research found that contributors are largely motivated by non-monetary factors, so a company is still able to derive utility from bug bounties even if they have a limited budget [11].
All the submissions for this bug bounty program were made in the first 6 months, and the analysis of the 4 OSCs covers 1.1% of risk in total for JavaScript OSCs used within Comcast. Aside from the cost of the platform, $1,500 was paid out for the 3 verified submissions.
Polygon paid a total bounty of $3.46 million to two white hat hackers who discovered the bug, according to the blog post. Leon Spacewalker, the first white hat hacker to report the security loophole on Dec. 3, will be rewarded with $2.2 million worth of stablecoins, Immunefi says. It says the second hacker, who was only referred to as Whitehat2, will receive 500,000 MATIC (currently over $1.2 million) from Polygon.
In 2019 alone, Shivam managed to snag as much as Rs 89 lakh through bounty rewards from numerous bigshot tech companies by exposing vulnerabilities on their platforms. Recently in April Shivam took home over Rs 70 lakh after winning a live hacking event.
On August 19, 2013, it was reported that a Facebook user from Palestinian Autonomy, Khalil Shreateh, found a bug that allowed him to post material to other users' Facebook Walls. Users are not supposed to have the ability to post material to the Facebook Walls of other users unless they are approved friends of those users that they have posted material to. To prove that he was telling the truth, Shreateh posted material to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg. Following this, Shreateh contacted Facebook's security team with the proof that his bug was real, explaining in detail what was going on. Facebook has a bounty program in which it compensates people a $500+ fee for reporting bugs instead of using them to their advantage or selling them on the black market. However, it was reported that instead of fixing the bug and paying Shreateh the fee, Facebook originally told him that "this was not a bug" and dismissed him. Shreateh then tried a second time to inform Facebook, but they dismissed him yet again. On the third try, Shreateh used the bug to post a message to Mark Zuckerberg's Wall, stating "Sorry for breaking your privacy ... but a couple of days ago, I found a serious Facebook exploit" and that Facebook's security team was not taking him seriously. Within minutes, a security engineer contacted Shreateh, questioned him on how he performed the move and ultimately acknowledged that it was a bug in the system. Facebook temporarily suspended Shreateh's account and fixed the bug after several days. However, in a move that was met with much public criticism and disapproval, Facebook refused to pay out the 500+ fee to Shreateh; instead, Facebook responded that by posting to Zuckerberg's account, Shreateh had violated one of their terms of service policies and therefore "could not be paid". Included with this, the Facebook team strongly censured Shreateh over his manner of resolving the matter. In closing, they asked that Shreateh continue to help them find bugs.[302][303][304]
On August 22, 2013, Yahoo News reported that Marc Maiffret, a chief technology officer of the cybersecurity firm BeyondTrust, is prompting hackers to help raise a $10,000 reward for Khalil Shreateh. On August 20, Maiffret stated that he had already raised $9,000 in his efforts, including the $2,000 he himself contributed. He and other hackers alike have denounced Facebook for refusing Shreateh compensation. Maiffret said: "He is sitting there in Palestine doing this research on a five-year-old laptop that looks like it is half broken. It's something that might help him out in a big way." Facebook representatives have since responded, "We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users." Facebook representatives also claimed they'd paid out over $1 million to individuals who have discovered bugs in the past.[305]
To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.
The attackers then reached out to Uber and demanded a $100,000 payment for information on how they were able to access the S3 buckets. Uber paid up, making the payment seem as though it was part of their bug bounty program, but it did not make the matter fully public. 2b1af7f3a8