Facebook will pay for vulnerabilities found

6

Facebook будет платить за найденные уязвимостиFacebook will pay for information about leaks access tokens

The company Facebook has expanded the rewards for the detected bugs. Now the social network will pay a reward for information on cases of leakage of user access tokens via third-party services and applications. The minimum amount of remuneration is $500.

Access tokens allow users of Facebook to log into other applications and individualized for each person, the access request and application. Leaks can lead to various attacks, for example, to intercept a session and control over the account, data theft or attack type “man in the middle”.

Previously, the program rewards Facebook did not apply to vulnerabilities in third-party services, but now the company has revised the approach, however, with a number of conditions. In particular, Facebook will consider the report about the vulnerabilities only if they were discovered in the process of “passive viewing of data sent from and to the device while using the app or web site.” Researchers are not allowed to “manipulate sent to the application or website requests or otherwise to interfere in the normal operation of the application or website” in the analysis process.

In addition, attention will only accept reports about vulnerabilities in applications with an audience of more than 50 thousand active users. Testing should be done only in own account of the researcher, and the report must provide a PoC-code.

The updated program does not apply to such vulnerabilities SQLi, XSS, Open Redirect bugs that enable the bypass permissions.

If the developers of affected applications or webmasters will refuse to correct the problem, the company will suspend the work on the platform until the vulnerability is fixed.

LEAVE A REPLY

Please enter your comment!
Please enter your name here