Is Facebook Bug Bounty Bogus?
I didn't think it was bogus until I found a Facebook Bug nearly 2 months ago. It was a valid bug and I created a video like everyone else. I submitted the bug to facebook and thougth this would be a spammer's dream come true if any spammers get hold of it. I thought they would fix it soon, but after 15 days I get a reply saying sorry for the delay and somebody will be looking into it soon.
Now after more than a month since that email and nearly 2 months since the filing of the bug, I hear nothing. I check the bug and it has been fixed. I can tell it has been fixed because the form output has changed and there definitely has been a code update.
May be they are deliberately causing this delay so that less number of bug will be revealed in media and they don't look so bad ?
12 comments
[ 3.7 ms ] story [ 39.2 ms ] threadBug bounty programs are as legitimate as the company wants them to be by providing the time of engineers to analyze the bugs and the funds to reward researches. I don't think they can be bogus exactly, they are what they are.
Now, the reason they exist is because bugs have a value outside the bounty program. So you, as a researcher, either have something you can profit from (in which case the choice to report to the bounty is your personal choice and there are others should you have to reanalyze) or you have a worthless curiosity and you can't really complain that no one is giving you money.
It sounds like you spent time entering a 'marketplace' that you don't have the capability to fully participate in, if you're all hung up on Facebook turning over a reward.
There could be a few things going on here, maybe your bug was classified as low pri, maybe we misdiagnosed the bug.
Speculation but I would call into question your assertion that we fixed something based on your submission and then attempted to hide/delay it. We have not and would not do such a thing.
We have paid out on such issues before but there is no hard rule. In general we err on paying out if there is any question. We have paid out before when a submission wasn't a bug at all but lead us to some part of the code that we ourselves then found a security bug in.
It is in our best interest to payout whenever possible. More payouts = more submissions = more security bugs found and fixed.
"Sorry it took a while to respond. It took us longer than normal because we have had a few weeks of higher than average volume and this ticket was marked as fixed but we hadn't corresponded back to you yet."
"This was indeed fixed by a separate diff that had been committed but was not yet live when you submitted the issue. So in this case we didn't learn about a new issue but we did double-check some of our assumptions around this stuff."
And I got a reward of $500. Here is the POC http://www.youtube.com/watch?v=x5HXv7nPgYo