Last year the social networking giant, Facebook introduced its bug bounty
program, inviting security researchers to poke around the site,
discover vulnerabilities that could compromise the integrity or privacy
of Facebook user data, and then responsibly disclose them to the
company. The minimal reward amount was of $500.
White hats were urged to search for Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code Injection bugs. In Facebook's White Hat program the company strictly announced that they should not be bothered with spam or social engineering techniques, DoS vulnerabilities,
bugs in Facebook's corporate infrastructure and vulnerabilities in
third-party websites or apps. Now they changed their mind. When the
social network's security team randomly receiving tips from a researcher
about a vulnerability in the company's own network which would allow
attackers to eavesdrop on internal communications, they made an
unprecedented choice by broadened the scope of the bug bounty program
and inviting researchers to search for other holes in the Corporate Network. There are quite a few bug bounty programs instituted by tech companies such as Google, Paypal but Facebook has become the first firm that gave formal permission to white hats to target its networks. Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there’s a million-dollar bug, they will pay it out.
Given that Facebook has a strong incentive to protect the data belonging to its 900 million users,
and the fact that data breaches have become a disturbingly common
occurrence in the last two years or so, the step seems like a logical
one.
0 komentar:
Posting Komentar