[daraosn]

I think $5,000 is a joke, this is a serious vulnerability... Despite this, congratulations for finding it and reporting directly to them, the right way. If it's possible to know, how many hours did you spend researching this?

[franjkovic]

>how many hours did you spend researching this?

Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.

>I think $5,000 is a joke

This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty. Here is good comment on the topic of bug bounty rewards: https://news.ycombinator.com/item?id=11249173

[shepardrtc]

I think $5,000 is a lot of money. I'd be pretty happy if they sent that to me. In years past, companies would just give you a nice pat on the back.

[stephengillie]

What if someone else was offering $10,000 for Facebook bugs, so they could exploit them? This bug could probably result in more than $5,000 in damages to the Facebook brand.

[argonaut]

But someone isn't. That's the point. These bugs don't go for $10k on the black market.

[peeters]

Never mind the fact that it does matter to a lot of people whether they are committing a crime. Not everyone is a capitalist sociopath.

If someone without a conscience wanted to maximize their profit, they'd probably just sell to both sides.

[rl3]

That's odd considering the potential monetary damage of such bugs can far exceed $10k.

[XMPPwocky]

One can smash a car up with a sledgehammer. Is the value of a sledgehammer equal to the value of a car?

[rl3]

>Is the value of a sledgehammer equal to the value of a car?

My previous post was poorly worded; I didn't mean to imply equality.

To use your analogy, valuing a serious vulnerability on a platform that has 1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer for a dollar.

[tptacek]

Stealing this.

[colanderman]

The problem with valuing bugs at their damage potential is that the total damage potential of all bugs in any given product is almost certainly magnitudes greater than the total value of the product itself.

[sushid]

People always say this but where would you go to find such a buyer? If you could find someone who would purchase it from you, would you process to then sell it to them?

If you can't find a buyer and/or would most likely be unwilling to commit a crime, it's a moot point.

[andkenneth]

Right, but this is facebook, and it's breaking auth. This is the company that said that if there's a million dollar bug, they will pay out for it. I'm not saying this is a million dollar bug, but breaking auth is up there on things that are bad and is probably worth a bit more than 5k.

[tptacek]

Outside of whatever bounty Facebook chooses to offer for it, this vulnerability has a value on the open market of, perhaps, $50.

[daraosn]

Don't understand the downvoting here.. Very irrational or emotional motivated. I'll explain why is a joke: $5,000 is nothing considering what could cost to Facebook if someone in a black market finds this, plus a CSRF vulnerability is from a Security 101 lecture nowadays. They do have the resources and should put more money to audit their production code and pay bigger bounties for someone who's not part of their company and finds a bug like this. Again, down voting non-sense.. this is not reddit guys, this is Hacker News.

[cmdrfred]

Hell, I'd pay 6 just for shits and giggles.

[tptacek]

Then do it. Facebook has a great security team, but it's a huge product with a lot of code churn, and there are plenty of shits and giggles left to find. Hang up a sign on Twitter or here, something credible that you can't get out of simply by changing your name to "admiralfred" or "commodorefred", that says you'll pay $6,000 for a Facebook CSRF.

You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.

[jfoutz]

Hmm. Seems like Facebook should create some front entities and buy cheap exploits on the black market. Of course, perhaps they already do. Smart folks work there.

edit

Actually, now that i think about it, someone in the right situation could probably make a nice living for a few years buying cheap/obscure exploits for lots of companies that provide bug bounties and submitting them. Beer money at least, perhaps tuition.

Seems sort of on the scale of small time drug dealer. Illegal, very risky in the long term, but possible to get away with for a few years if you're cautious.

[rl3]

>I think $5,000 is a joke, this is a serious vulnerability...

I tend to agree. They should probably add a zero to that.

Obviously $5,000 is a lot of money, but not to Facebook, and especially not in the context of fixing serious vulnerabilities on a platform that has 1.65B users.

If Facebook paid more they'd enhance their security in the process, at the cost of what amounts to chump change for them.

[MichaelGG]

Maybe. But for anyone to make money off it, they'd need to be willing to be or work with a criminal, right? If they are getting work done for the amounts paid, why pay higher?

[pilsetnieks]

If you're working on Facebook security, is that a bet you're willing to take?

People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.

At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?

[MichaelGG]

> If you're working on Facebook security, is that a bet you're willing to take?

Apparently so. That's what they're offering and paying. The entity that most benefits from FB security is FB, and they seem to be OK doing this.

[jonknee]

> If they are getting work done for the amounts paid, why pay higher?

To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?

[argonaut]

95% of people are incentivized enough to not sell to hackers by the incentive of not becoming a criminal.

[wildmusings]

I don't believe it's illegal to sell vulnerabilities.

[jonknee]

Governments also buy zero days.

[sbarre]

Sure just walk into an embassy with a Flash drive, I'm sure they've got sacks of doubloons in a basement safe just waiting for someone like you..

[corobo]

If anything it's to give people the incentive to actually flesh out a bug report and send it to them. I really have no idea where everyone's getting this "The black market will pay billions!" idea from.

Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.

[conradk]

I guess the reasoning would be that some hackers probably have found vulnerabilities they'd rather sell on the black market for 50K than sell to Facebook for 5K.

[MichaelGG]

Who is paying 50k for these things? A while back the Hacking Team dumps showed very low prices. Zero days in widespread desktop systems were like 100k. Why would a remote service flaw that can be fixed at a moment's notice be worth much more?

How do you recoup 50k on FB? Not a theoretical "I'll hack Tom Cruises' pictures and blackmail him" but an actual demonstrated business model.

[rl3]

If it's a government buying the exploit, they wouldn't care about recouping the cost. Hence why a large sum is feasible.

[MichaelGG]

Didn't the HT leaks show vulns that'd be sold to anyone? An online service hack just wouldn't command the same pricing. Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?

Also note that the majority of government entities can just legally request information.