Back in 2011, Facebook launched its bug bounty program in an effort to provide recognition and compensation to security researchers for practicing responsible disclosure. The program is not bound by a maximum bounty reward. Instead, it awards monetary rewards based on the severity of each disclosed vulnerability, with $500 USD serving as the minimum payout. It is in response to this open approach that The State of Security named Facebook's initiative one of the essential bug bounty programs of 2015.
One of the reasons Facebook didn't set an upper monetary reward limit on bug reporting is because it knows it's not "easy" for researchers to find a vulnerability in the social media platform. Even with sufficient knowledge and impressive tools, it might take a researcher weeks or months of testing before they uncover a flaw. Many developers understand the struggle that consumes security researchers who decide to participate in Facebook's bug bounty program. For that reason, one developer named "phwd" decided to publish a guide that can help steer penetration testers in the right direction. In the resource, phwd lists a series of Facebook-related websites, explains their functions and describes what types of flaw researchers should look out for while probing those domains. For instance, since Facebook's Graph API uses various calls through http://graph.facebook.com/ that are either publicly accessible or which require some form of authorization via access tokens, a researcher could check to see if API calls are missing authorization checks or leaking data. Those authorization checks are relatively easy to find compared to the types of flaws researchers would need to look for on other Facebook domains, such as http://graph.facebook.com/graphql. Per phwd's explanation:
"You wouldn’t be able to get away with those low hanging fruits for authorisation checks like in graph.facebook.com. Getting these calls to work for you will probably be a task on its own (cert pinning in Facebook mobile applications). So patience and a lot of testing is needed here. There is no documentation since this is Facebook’s internal API. The rest is up to you."
All of that work isn't for naught, however. Included in the guide is a link to one such vulnerability found in the graphql domain that earned the developer Raja Sekar Durairaj a $5,500 USD bug bounty reward. The developer also provides links to vulnerabilities found in a series of other Facebook domains including http://business.facebook.com (where one can bulk edit ad data and manage business entities), http://developers.facebook.com (where third-party developers can read documentation), http://facebook-studio.com (a site that highlights creative agencies working with Facebook as a marketing platform), and http://intern.facebook.com (Facebook's internal network). They even take some time to lead researchers away from investigating certain dead-end vulnerabilities, most notably what some would consider privacy issues regarding whether private Facebook profiles show up on a connection's friend list. To read all of phwd's helpful hints and tips, please read the guide in full here. Is your company interested in launching its own bug bounty program? Click here for some expert insight on where and how you can start.
