This article was published on January 23, 2014

Facebook pays Brazilian engineer $33,500 for security bug in highest payout to date


Facebook pays Brazilian engineer $33,500 for security bug in highest payout to date

Facebook announced today that it has awarded its biggest bug bounty payout since the program’s start in 2011. The social networking company revealed that Brazilian computer engineer Reginaldo Silva cast a spotlight on an XML external entities vulnerability that, if left unchecked, could have allowed someone to read “arbitrary files” on the webserver. As a result, Facebook rewarded Silva for his discovery and paid him $33,500.

In a Facebook post, the company shares that it received a bug report from Silva back in November and that upon verifying the issue, implemented a fix that would take care of part of the issue. After the bug was gone, the engineering team needed to figure out how to distribute it to all of Facebook’s webservers. To accomplish this task, the team utilized a tool called Takedown that helped prioritize the line of code needed to repair the damage above all other requests.

Of course, all of the effort thus far was to rectify the problem — now Facebook needed to investigate to understand what went wrong and if there were any other parts of the code that were vulnerable.

You can read the whole explanation on Facebook, along with Silva’s own thoughts here.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Prior to Silva, in June, a British researcher received $20,000 for discovering a security flaw on Facebook and was paid out through the bug bounty program. It was set up as a means to allow whitehat hackers to disclose vulnerabilities in the social network to the company in a safe manner so that user data isn’t compromised and the social network as a whole is improved.

But while Facebook says that the $33,500 payout to Silva was its highest to date, there’s really no maximum reward.

Photo credit: RAUL ARBOLEDA/AFP/Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with