Is Facebook Bug Bounty Bogus?

[chr13]

I didn't think it was bogus until I found a Facebook Bug nearly 2 months ago. It was a valid bug and I created a video like everyone else. I submitted the bug to facebook and thougth this would be a spammer's dream come true if any spammers get hold of it. I thought they would fix it soon, but after 15 days I get a reply saying sorry for the delay and somebody will be looking into it soon. Now after more than a month since that email and nearly 2 months since the filing of the bug, I hear nothing. I check the bug and it has been fixed. I can tell it has been fixed because the form output has changed and there definitely has been a code update. May be they are deliberately causing this delay so that less number of bug will be revealed in media and they don't look so bad ?

[collingreene]

I work at facebook on the bug bounty program, if you have an email, name or ticket id I can look into it for you.

There could be a few things going on here, maybe your bug was classified as low pri, maybe we misdiagnosed the bug.

Speculation but I would call into question your assertion that we fixed something based on your submission and then attempted to hide/delay it. We have not and would not do such a thing.

[chr13]

It may not be intentional but what about unintentional fixes ? What happens to bugs that were valid when posted but fixed (unintentionally) right after a release/code deployment.

[collingreene]

I need more information if you want me to look into this issue.

We have paid out on such issues before but there is no hard rule. In general we err on paying out if there is any question. We have paid out before when a submission wasn't a bug at all but lead us to some part of the code that we ourselves then found a security bug in.

It is in our best interest to payout whenever possible. More payouts = more submissions = more security bugs found and fixed.

[chr13]

I think the report number is 173358208.

[collingreene]

Cool, found it. Will respond in the email thread.

[chr13]

Thanks for the reply, that clears things up.

[whatcouldimean]

Any bug bounty program suffers from tons of junk mail from people who copy paste definitions from owasp and misunderstand whats going on.

Bug bounty programs are as legitimate as the company wants them to be by providing the time of engineers to analyze the bugs and the funds to reward researches. I don't think they can be bogus exactly, they are what they are.

Now, the reason they exist is because bugs have a value outside the bounty program. So you, as a researcher, either have something you can profit from (in which case the choice to report to the bounty is your personal choice and there are others should you have to reanalyze) or you have a worthless curiosity and you can't really complain that no one is giving you money.

It sounds like you spent time entering a 'marketplace' that you don't have the capability to fully participate in, if you're all hung up on Facebook turning over a reward.

[chr13]

You missed a key point, "responsible disclosure". Not only to the company but to the public. I care less about whatever bounty they give or do not give. They could just deny the bug but this lingering is too much. I like Google's program where you have to wait x number of days and then you can disclose any bug. I guess all I wish from these programs is that they fix the bugs fast which is good for them. I did not spent time to enter anywhere. I was just curious 1 day and played around for an hour or two. I guess you are assuming too much about me and my capability and you cared so much as to create an account just to reply to this post...meh :/

[mattaustin01]

I have had 5-6 bounty bugs answered in very short order.. this mush have slipped thought the cracks.