Facebook announced today that it has awarded its biggest bug bounty payout since the program’s start in 2011. The social networking company revealed that Brazilian computer engineer Reginaldo Silva cast a spotlight on an XML external entities vulnerability that, if left unchecked, could have allowed someone to read “arbitrary files” on the webserver. As a result, Facebook rewarded Silva for his discovery and paid him $33,500.
In a Facebook post, the company shares that it received a bug report from Silva back in November and that upon verifying the issue, implemented a fix that would take care of part of the issue. After the bug was gone, the engineering team needed to figure out how to distribute it to all of Facebook’s webservers. To accomplish this task, the team utilized a tool called Takedown that helped prioritize the line of code needed to repair the damage above all other requests.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
Of course, all of the effort thus far was to rectify the problem — now Facebook needed to investigate to understand what went wrong and if there were any other parts of the code that were vulnerable.
Prior to Silva, in June, a British researcher received $20,000 for discovering a security flaw on Facebook and was paid out through the bug bounty program. It was set up as a means to allow whitehat hackers to disclose vulnerabilities in the social network to the company in a safe manner so that user data isn’t compromised and the social network as a whole is improved.
But while Facebook says that the $33,500 payout to Silva was its highest to date, there’s really no maximum reward.
Photo credit: RAUL ARBOLEDA/AFP/Getty Images