December 13, 2011

Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don’t offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

“My rule #1 as participant of bug bounties: Don’t tell details about reported bugs,” he replied, when asked about the details behind his most recent Facebug find. “This is my personal decision, but perhaps in the future I change my mind. So I prefer to fix the bugs silently, but it’s nice that they can mention about me by putting my name on their White Hat list.”

Gurszecki said that as cool as the White Hat card is, he has asked Facebook to send his earnings another way, saying that using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward,” he said. “The Facebook team sent me the card only as a souvenir.”

Neal Poole, a junior at Brown University, has reported close to a dozen flaws to Facebook, and also recently received a White Hat card. Poole has earned cash reporting flaws to Google and Mozilla, but unlike Gruszecki he blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.

Poole’s research and diligent write-ups eventually caught the attention of Facebook’s recruiters: Next summer, he’ll be interning at Facebook, working directly with the company’s security team.

The New York native welcomed the bug bounty card, which makes it a bit easier to get paid. Initially, he’d asked to be paid via Western Union, but he ended up having the payment sent via PayPal. Now he just takes the card into JP Morgan Chase (the issuer of the card) and has them dump the cash into his bank account. “It was a little confusing at first for the people at my bank. They’d never seen one of these cards before.”

The young researcher said although the White Hat card definitely carries some geek cred, he won’t be flashing it at security conferences to buy drinks for his contemporaries anytime soon.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon,” Poole said. “It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target.”

14 thoughts on “Bugs Money

  1. Jay Wocky

    Call me a cyber-dinosaur (I expect to be vindicated some day). But I continue to avoid 150% any and all things “Facebook.” Along with all other “social networking” sites and services.

    1. Datz

      Would you also stop walking because you fear you may fall down? Ignorance is no excuse; arm yourself with the knowledge and go out fearlessly in this cyber world.

      1. steve

        @Datz – yes, go out into the cyber world, but NOT fearlessly. Ask any hero – they felt the fear and did it anyway. Fearless leads to foolish risk, not prudent behavior.

      2. Jay Wocky

        I don’t recall invoking ignorance to excuse my Facebook-o-phobia. Indeed, my avoidance of FB et al. simili is based in considerable research and anecdotal evidence.

        As for fear, well: I walk generally without fear. But I stay off of tight ropes with the same mindset that eschews social networking. Thus far, neither abstinence seems to have narrowed the universe for me. Rather, I reap the benefit of time to spend on better things.

    2. F-3000

      My usual comment for people who tell me that they don’t have Facebook account is “you have lost nothing”.

      What I find rather negative aspect, is that there’s a lot of site specific forums, yet people use only facebook groups when/if one is created.

      Why it is not good that the facebook group is more used than a site forum?
      Firstly, Facebook is not safe media. As a mere example, a browser-addon meant to be a FB-game tool, may reveal basically anything that’s written in a closed group, if the tool’s written badly, or if it’s purposely malicious. Less likely to happen when the game-site, and the forum are on different source.
      Secondly, Facebook is not stable media. Those who are members of groups, and especially those who are admins of groups, remember too well about the group-renewal of Facebook, which happened short ago. A lot of groups went to “archives”, because the updating system did not even work for those who did not use english as FB language, until it was too late. On occasion, groups, or even user-accounts, go missing or unaccessible without clear reason about what has happened.

  2. h.ell

    @ Jay Wocky: same here. Facebook, Twitter, Tumblr and whatever social network you can think of — they’re no-go for me. I like to keep things private.

  3. Wladimir Palant

    An entity that I don’t trust with my data wants to issue me a debit card? Call me paranoid but I would only use this card to immediately remove money from it – I don’t want Facebook to know what I use the money for or which shops I frequent. So far I received all bug bounties (from Mozilla and Google) by wire transfer and would be pretty suspicious if a company would suggest something else.

  4. george

    This is the first positive news I’ve heard about Facebook in years. I’m wondering about details though: Is the bounty proportional with severity of the bug ? What amounts are usually paid (in the thousands, tens of thousands, or less). With 0-day’s going for 50 000$ or more on black market I would be surprised if Facebook matches that. What happens if multiple researches submit the same bug before the vulnerability is fixed and disclosed ? (probably a quite frequent occurrence).

  5. Michał

    There is a typo in the Niebezpiecznik’s URL – you forgot http Brian, link doesn’t work.
    Glad to see Niebezpiecznik here, they are quite popular in Poland, educating in itsec.

  6. helly

    I was lucky enough to find a vuln in google search a few months back, I thought the hall of fame was a neat idea. I love this card idea, it continues to make it interesting for researchers to report vulnerabilities in ways a company desires.

    These programs I think are extremely beneficial, and it would be exciting to see more companies continue to emulate these models.

  7. geeknik

    I’ve made some quick cash through Google and Mozilla’s bug bounty programs, but I didn’t know about Facebook, CCBill and Piwik. Time to get cracking, so to speak. 😉

  8. JCitizen

    Great article Brian! It is so good to see people making a positive difference for once!

  9. Jango Fett

    These “bounties” are just spec work moved to a different domain. The scenario is the same as in the creative design world: many toil, few are paid, all are exploited.

    Security researchers do have one bit of leverage that artists don’t; they can sell the product of their labors to the black hats. But they have dance carefully to avoid extortion or criminal accessory charges. Still, in the end I think selling to the bad guys is the best way to increase the number of security pros actually hired as opposed to being merely exploited in these contests.

Comments are closed.