And I still think that line of thinking is bullshit.
The bottom line is that the dollar value for this stuff is arbitrary, and Facebook arbitrarily picking $10,000 for getting COMPLETELY OWNED and exposing any selection of personal data (in the case of the other bug, this one seems to have the potential to be even worse due to credential stealing, although it's murkier) is pretty gross IMO.
I don't know what the number should be - again, it's arbitrary - but in my personal book $10,000 is about 10x too low.
Facebook didn't get COMPLETELY OWNED. A third party product they were using for some backend line of business process that lived in a DMZ got COMPLETELY OWNED, and the researchers were unable to escalate privileges beyond it.
In parens, I said I was referring to the linked discussion, which was about a researcher that had access to any FB account. IMO that qualifies as TOTALLY OWNED. The only thing worse would be a full dump of every account.
I agree this one is murkier, although at first glance the proxy method employed by the "mystery adversary" seemed promising for privilege escalation.
Doesn't Facebook's policy prohibit privilege escalation? The write the following:
You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.) [0]
It's no wonder other bounty researchers didn't find further vectors for exploiting their privileges. There was a researcher not too long ago hit by the book for this.
That's an oversimplification. What actually happened was: a researcher found a serverside bug in a random backend box, got RCE, logged in, scraped and banked all the creds off the box, reported the bug, and then a month later during a dispute used the creds he stored to attack other Fb properties.
Dumping directories from machines and banking their creds isn't "escalating privileges". If you did that on a pro red team project, saving the creds to use a month or two later, you'd get fired.
The case (or however one wants to construe what or how things really happened) isn't too interesting to me. Do you read FB's whitehat rules of engagement differently?
I dug up the mentioned case, and FB's first contact with the researcher included, "Please be mindful that taking additional action after locating a bug violates our bounty policy." Between FB's whitehat policies and that, I'd be pretty sure not to escalate privileges.
Given that a vulnerability may be exploited by a malicious party and that this could cost facebook X millions of dollars:
How much should facebook pay for vulnerabilities to reduce the risk of Such an event? That is, given some cost/benefit model what is the ideal price for a particular class of vulnerability?
This suggests two related questions, 1. how does buying vulnerabilities reduce the risk of a malicious use of a vulnerability and 2. by how much?
I suggest two answers for question 1:
First buying a vulnerability and then patching it prevents that vulnerability from being used by an attacker. It only makes sense to do this if vulnerability are very rare, since the more rare they are the greater the benefit of fixing them.
Second someone who discoveries a vulnerability might have a human urge for recognition and/or payment. "I did the work, I deserve some credit/payment". In this case facebook is competing with the vulnerability blackmarket, but facebook has an inherent advantage (all things being equal a legal dollar is more beneficial than an illegal dollar and you get bragging rights which has both intrinsic and monetizable value).
I have no idea how to answer question 2 as it is quantitative. Perhaps an economist has written pricing models for bug bounties and how this should impact cyber-insurance premiums?
Major companies do not store most information on most humans in 1st/2nd class countries.
For the love of me I could not imagine what implication o huge hack into facebook could have on the civilized world. Imagine someone has a database of all emails with all activities all connections, on everything everybody in America Europe and Asia does.
The ability to spam people into oblivion would be just a tip of an iceberg. Most likely countries like UK or Germany would ban facebook altogether. Not to mention there are millions of active credit cards stored in their wallets. The implication of a hack at that scale would mean hundreds of millions of dollars spent on only printing new plastic cards for affected cardholders.
For $10,000 you cannot even buy a modest 80" TV... I am disappointed how little FB values their system to be secure, but oh well... who uses FB anyways /sarcasm
>> And I still think that line of thinking is bullshit.
You haven't given any real refutation to the comment linked by the parent. How qualified is your opinion? You're entitled to it, but know that most bug bounty participants and members of the actual security industry disagree with you.
And I'm reasoning from economic first principles, not experience in the field. From first principles, I don't understand the argument that $10,000 is fair. At least, I don't understand that argument any more than why $10 is fair - which is my point, that it's arbitrary. And in my arbitrary opinion, $10,000 is grossly low compared to the relative work involved and money at stake.
The FBI just paid $1M to access one guy's iPhone. The vulnerability in the linked discussion, which was guaranteed access to any FB account, was a $10,000 bounty. IMO those numbers need to be a lot closer together.
The bottom line is that the dollar value for this stuff is arbitrary, and Facebook arbitrarily picking $10,000 for getting COMPLETELY OWNED and exposing any selection of personal data (in the case of the other bug, this one seems to have the potential to be even worse due to credential stealing, although it's murkier) is pretty gross IMO.
I don't know what the number should be - again, it's arbitrary - but in my personal book $10,000 is about 10x too low.