Pysa - https://engineering.fb.com/2020/08/07/security/pysa/
Here is our experience building and using program analysis as part of our product security efforts at facebook: https://engineering.fb.com/security/zoncolan/. Its run in both self-service (output to developers), guided…
https://www.facebook.com/data-abuse - as mentioned in the article this scenario (non-fb companies mishandling fb user data) is exactly the reason Facebooks data abuse bounty program exists. Hopefully the finders of this…
This exists, https://internetbugbounty.org/ Facebook, microsoft, github, etc all pay $$ and our time into a pool that is used to incentivize the finding, vetting and fixing of security flaws in major software running…
I work at Facebook and have personally seen no evidence of this. The article cites one designer who left (out of ~25,000+ total Facebook employees).
The two people interviewed were fired for cause from this same program, of course they will have a negative opinion. One even fired for the same thing this safety driver failed to do. >Both Kelley and the former driver…
> Why do you think the LIDAR did not work? The LIDAR might have worked just fine but what the system taking the output of the sensor did with the data is the question. Very true. I don't know either way.
Internal abuse is a big area of effort for Facebook and google but things still go wrong. Here was googles moment for that back in 2010: https://www.wired.com/2010/09/google-spy/
>I don’t understand ... why aren’t the default settings of an account more secure and private? They are (for the most relevant definition of your question). Specifically a Facebook app you choose to install can no…
This exists and companies purchase it, ex: https://www.thehartford.com/data-breach-insurance Risks (all kinds, not just technical) can be accepted, ignored, transferred and mitigated so it is important to have this…
I don't think anyone in security would disagree with you. The problem is measuring something that is sort of definitionally unknowable (how many vulns are in this code, where, how likely is it someone outside the…
+1 to starting a private program first which is recommended by all bounty programs. If helpful I wrote down my notes about starting a bounty program although my experiences were formed by larger companies…
Nice, these look superior to the intel books (which intel graciously printed then mailed to me for free like 10 years ago, go intel!). Ill check them out.
Assembly Language step by step by Jeff Duntemann remains one of my favorite books overall (not just programming, not just computers). It was updated in the last few years and the 3rd edition remains quite good.
Your acute mistaken conclusion> Simply throwing money at FOSS will not fix any security bugs. I can't think of anything closer to "throwing money at FOSS" than something like the internet bug bounty. Google/Facebook/etc…
Maybe you just enjoy hyperbole but while part of what you say is correct (finding security vulns in software is unavoidably a bit of a crapshoot) your conclusions are wrong. Finding deep, serious vulns like this in…
Cool article! A friend and I once did this but then recorded the commands attackers ran and replayed them on a big tv in our office. We called it hacker fishtank.
To echo this sentiment: In 2013 facebook received 14,763 submissions which lead to 687 paid issues, 1 : 21 signal to noise. Facebook errs on the side of paying out as often as possible even for lame bugs (apache shows…
This is really great. I have found myself saying some of these same things when explaining things. Going to keep this in my pocket to use in the future. Thanks!
Replying as discussion originally seemed to be about first/last/profile picture privacy. The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is…
Google is on board. """ is sponsored by Microsoft and Facebook. It will be jointly controlled by researchers from those companies along with their counterparts at Google, """
Cool, found it. Will respond in the email thread.
I need more information if you want me to look into this issue. We have paid out on such issues before but there is no hard rule. In general we err on paying out if there is any question. We have paid out before when a…
I work at facebook on the bug bounty program, if you have an email, name or ticket id I can look into it for you. There could be a few things going on here, maybe your bug was classified as low pri, maybe we…
Because of the volume of reports we have settled on a scan every new item quickly, categorize it into severity and then respond. As you say it is a minor privacy issue so it looks like it went into a lower-pri area. I…
Pysa - https://engineering.fb.com/2020/08/07/security/pysa/
Here is our experience building and using program analysis as part of our product security efforts at facebook: https://engineering.fb.com/security/zoncolan/. Its run in both self-service (output to developers), guided…
https://www.facebook.com/data-abuse - as mentioned in the article this scenario (non-fb companies mishandling fb user data) is exactly the reason Facebooks data abuse bounty program exists. Hopefully the finders of this…
This exists, https://internetbugbounty.org/ Facebook, microsoft, github, etc all pay $$ and our time into a pool that is used to incentivize the finding, vetting and fixing of security flaws in major software running…
I work at Facebook and have personally seen no evidence of this. The article cites one designer who left (out of ~25,000+ total Facebook employees).
The two people interviewed were fired for cause from this same program, of course they will have a negative opinion. One even fired for the same thing this safety driver failed to do. >Both Kelley and the former driver…
> Why do you think the LIDAR did not work? The LIDAR might have worked just fine but what the system taking the output of the sensor did with the data is the question. Very true. I don't know either way.
Internal abuse is a big area of effort for Facebook and google but things still go wrong. Here was googles moment for that back in 2010: https://www.wired.com/2010/09/google-spy/
>I don’t understand ... why aren’t the default settings of an account more secure and private? They are (for the most relevant definition of your question). Specifically a Facebook app you choose to install can no…
This exists and companies purchase it, ex: https://www.thehartford.com/data-breach-insurance Risks (all kinds, not just technical) can be accepted, ignored, transferred and mitigated so it is important to have this…
I don't think anyone in security would disagree with you. The problem is measuring something that is sort of definitionally unknowable (how many vulns are in this code, where, how likely is it someone outside the…
+1 to starting a private program first which is recommended by all bounty programs. If helpful I wrote down my notes about starting a bounty program although my experiences were formed by larger companies…
Nice, these look superior to the intel books (which intel graciously printed then mailed to me for free like 10 years ago, go intel!). Ill check them out.
Assembly Language step by step by Jeff Duntemann remains one of my favorite books overall (not just programming, not just computers). It was updated in the last few years and the 3rd edition remains quite good.
Your acute mistaken conclusion> Simply throwing money at FOSS will not fix any security bugs. I can't think of anything closer to "throwing money at FOSS" than something like the internet bug bounty. Google/Facebook/etc…
Maybe you just enjoy hyperbole but while part of what you say is correct (finding security vulns in software is unavoidably a bit of a crapshoot) your conclusions are wrong. Finding deep, serious vulns like this in…
Cool article! A friend and I once did this but then recorded the commands attackers ran and replayed them on a big tv in our office. We called it hacker fishtank.
To echo this sentiment: In 2013 facebook received 14,763 submissions which lead to 687 paid issues, 1 : 21 signal to noise. Facebook errs on the side of paying out as often as possible even for lame bugs (apache shows…
This is really great. I have found myself saying some of these same things when explaining things. Going to keep this in my pocket to use in the future. Thanks!
Replying as discussion originally seemed to be about first/last/profile picture privacy. The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is…
Google is on board. """ is sponsored by Microsoft and Facebook. It will be jointly controlled by researchers from those companies along with their counterparts at Google, """
Cool, found it. Will respond in the email thread.
I need more information if you want me to look into this issue. We have paid out on such issues before but there is no hard rule. In general we err on paying out if there is any question. We have paid out before when a…
I work at facebook on the bug bounty program, if you have an email, name or ticket id I can look into it for you. There could be a few things going on here, maybe your bug was classified as low pri, maybe we…
Because of the volume of reports we have settled on a scan every new item quickly, categorize it into severity and then respond. As you say it is a minor privacy issue so it looks like it went into a lower-pri area. I…