Facebook paid $4.5K for disclosure of my user account exploit

<p><pre><code> Churchill: "Madam, would you sleep with me for five million pounds?" Socialite: "My goodness, Mr. Churchill... Well, I suppose... we would have to discuss terms, of course... " Churchill: "Would you sleep with me for five pounds?" Socialite: "Mr. Churchill, what kind of woman do you think I am?!" Churchill: "Madam, we've already established that. Now we are haggling about the price” </code></pre> You're either a black/grey hat or a white hat. Either you're a white hat and believe selling to malicious hackers is fundamentally wrong and you wouldn't do it at any price, or you're a black hat waiting for the right price.<p>The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.

Less money = less incentive = fewer disclosures = less secure.<p>Facebook is abusing the good will of white hats by offering such trivial sums, and they're reducing the security of their platform in the process. They have how many $100k+ engineers who couldn't find this? And how much does the average security breach cost per record, $100-$200? This exploit alone could have exposed them to millions in losses at that cost.<p>This is what turns white hats into black hats, and I wouldn't blame the guy for selling his next exploit rather than disclosing it. A famous guy once said "we create our own demons". And then the guy in Iron Man 3 said it. And now I'm saying it.

I think many people reading this get a sort of uncomfortable feeling thinking about 'white hat' security researchers receiving bounties for disclosure -- it sounds a bit like extortion, especially when people talk about "wondering how much more you can get elsewhere."<p>But at the same time, the reality is that we're in somewhat of a security crisis. Businesses responsible for the security and privacy of our personal information and identities are clearly not in fact capable of protecting those on their own. (In part because it is a very hard task). They need help. And they're not going to get enough help purely from unpaid volunteers.<p>In a more reasonable world, the government would have armies of 'white hat' hackers trying to find security holes (they surely do), and then _telling the effected about them_ (they definitely don't, they keep them instead for their own use). Because that would result in increased security for us all, isn't that in theory the mission of police agencies, increasing our security?

<i>...intrigued by the bold sentence on Facebook's security researcher page "There is no maximum reward" I went out and started giving Facebook's code another peak.</i><p>I'm not surprised that you feel this wasn't enough since it appears the reward is your motivation for finding an exploit in the first place. The reward shouldn't be viewed as payment for services rendered, but rather as a gesture of good will for performing your duty of responsible disclosure.<p><i>Without the disclosure of whitehat hackers, like I did, these exploits can also become available to dubious parties who could wreak (digital) havoc.</i><p>If you are truly a white hat then you aren't motivated by money. You are principally motivated by wanting to make the world a better, safer place. Since you're well-versed in computer security, that motivation will propel you to apply that knowledge to the web (or really to any vulnerability) when the opportunity presents itself.<p>If the reward is your motivation then at best this makes you a grey hat. You did the right thing, but for the wrong reasons. Note that for the following I'm not saying you personally will necessarily do this; but it would be easy from that position to start treating the group of people who you're willing to disclose a vulnerability to as a marketplace. Facebook will pay $4,500? Fair enough. L33tBotNetHaxz0r will pay $20,000? Done.<p>If you're someone who possesses the skill to discover security vulnerabilities, I think it's important to think through what your real motivations are. Is it for the rush capturing the flag? Is it for the money? Is it to help people? Your actions can affect many, so act wisely.<p>Edit: I should clarify that I mean that money can't be the <i>principal</i> motivation for a white hat hacker. I believe it's fine as a secondary motivation. I give an example in another comment below.

Much of the conversation here centers around the value of reporting to Facebook vs. selling to black hat. This is the wrong paradigm to view this issue through.<p>Taking the view that selling to blackhats is ALWAYS wrong, it may still make sense for Facebook to pay significantly more to find vulnerabilities in their system. A less vulnerable system is one with a competitive advantage, and I think Facebook is missing an opportunity to tout their security credentials.<p>Let's take a back of the envelope calculation. Say instead of $4,500, they paid each of the 66 people who submitted a vulnerability $50,000. And since we're not halfway through 2013 yet, let's assume that in total 150 people will submit valid security holes to FB this year. That's $7.5 million dollars paid out.<p>Now, once word of a $50k payout gets out, say 10x the number of people try to find vulnerabilities, and the success rate increases linearly. So Facebook pays $75 million a year.<p>What are the benefits of this program? I'd say you get a few major benefits vs. the current situation: 1. You will definitely convert some blackhats away from exploiting FB data in exchange for $50k legally obtained 2. You convert a lot of people currently looking for security exploits in Google, Amazon, etc... to searching for FB vulnerabilities. 3. As a result you have a much more secure platform. 4. You can leverage these payments through media and PR to legitimately show that you care about security. 5. You combat competitors by touting a more secure platform.<p>$75 million is not small change when you look at FB's operating income, but it's not going to break the bank either.<p>The point is that it may well be a rational decision on FB's part to offer significantly more and it has nothing to do with the black hat market value of the exploit.

I posted a more detailed description of the exploit: <a href="http://www.reddit.com/r/netsec/comments/1fe9mj/facebook_pays_45k_for_disclosure_of_my_complete/ca9ehfe" rel="nofollow">http://www.reddit.com/r/netsec/comments/1fe9mj/facebook_pays...</a>

$4500 sounds about right for this vulnerability.

$4.5k is decent. Were you expecting to get rich? There are contests where you can rake in much larger amounts, and you could make a killing forming a penetration team if money is the issue.

$4.5k is surely a small amount of money if they had employed someone to do this kind of work.<p>However, since you the work was done for free the author had sunk the time and risked getting $0 for it. Even if the author is inclined to go black hat, there's a lot more (likely illegal) work to be done for author to extract value from it.<p>As such, $4.5k is a good deal for the author - Facebook offered it knowing that and author accepted it knowing that.<p>I don't think this remotely reflects Facebook's true value of privacy (although this admittedly may not be high).<p>Facebook's only potential loss by making this offer is that it may make it slightly less likely for talented people to work externally on white hat exploits.

Hi - I built Facebook's Bug Bounty program with a few other FB folks. There's a couple things I want to add to the conversation about how we look at rewards.<p>(Also, in 2009 it was just myself and a couple others running our disclosure program. It wasn't even bounties at that point. We'll get you a shirt, you can pretty much just blame me for that.)<p>1. We don't compete with the bug market, so our rewards will not look like market prices. It's true that "Bad Guys" would pay enormous amounts for a bug. They also pay a premium for the criminal risk being taken, and for the opportunity to exploit it which will theoretically make them a lot of money. However, we're good guys and we don't plan on profiting from bugs.<p>2. You, the researcher, are safe to post and talk about the vulnerability you found when Facebook is held to the disclosure policy. If your bug is extra-awesome, we'll sometimes send a bunch of reader traffic your way from our bug bounty page. This has shown to be worth a lot to researchers. Several of our bounty hunters have started companies, gotten jobs, became internet famous from this program and value this more than any bounty.<p>3. We are pretty lenient on what qualifies as a bug, which means we have a higher volume of payments to researchers than you might expect. If a researcher showed amazing skill in finding something that didn't actually turn out to be a bug, we'll probably reward them anyway because we want them to keep trying. We are pretty lenient on duplicates as well. If we see that someone truly discovered a bug independently (and also showed significant skill discovering it) then they'll probably get a reward too. The theory here is that we want more responsible disclosures instead of pissed off researchers.<p>Overall I don't want to argue with the amount we rewarded here, but show that we're doing a lot of stuff that's benefiting a lot of researchers. We're one of the first companies to launch a bounty program, and most of the researchers you have listed would probably say they think we're doing pretty well. Not too many companies have a bug bounty program, and I'm really proud of ours! :)

What's the point/argument of this article? That 4.5k is not enough money?<p>(serious question, not hating)

Pricing 101: Goal: Get as much as you can from the thing that you're selling.<p>Purchase Negotiation 101: Goal: Pay as little as possible for the thing you're buying.<p>To me what's funny about this is that if Facebook didn't pay the author at all, we probably wouldn't be reading this blog post right now.

These bounties should be thought of more as an "award" than a "reward". In this case, the author has received a great honor for his cleverness.

$4.5k for spec work isn't that bad. They could've paid $0.<p>With that said, I keep my facebook account only for testing applications.

I've been paid as part of their white hat program, $4.5k doesnt seem that high compared to what i was paid for my 'exploit'. I picked up $1k for finding a bug in their event invitations, a user could add friends to a private event when using a mobile phone.<p>The fact that his exploit was getting actual private data from people, i'd of thought he'd of been paid more. Thats not to say $4.5k isnt a lot of money, its a very nice reward.

I think many of the comments are just saying 'do not work for free. if you work for free, do not expect big rewards'. I have to agree with that. So, OP don't take it personally. All good work on your part but do not expect too much for free work. That's the way the world rolls.

What is the actual black market value of an exploit like this? Is it in the realm of $4,500?

I'm not sure about the law in these situations. What happens if a hacker (right now let's not label them black or white hat just yet) decides to tell Facebook that hey know of an exploit which can gain access to anyone's account given an email address. This is a monumental bug, obviously. Is the hacker allowed to negotiate a price and then withhold the info if his demands are not met? Or is this against the law?<p>I would guess as long as they doesn't use the exploit or sell it to some 3rd party (nefarious or otherwise) then they should be safe, right?

It's very simple. If you had a certain price in mind, negotiate the price first, before delivering the service.