Facebook Inc (NASDAQ:FB) paid a Brazilian engineer its highest bug bounty after the engineer reported an XML external entities vulnerability that would potentially allow someone to read arbitrary files on the web server if left unresolved.
According to the social network giant, the bug report was submitted by Reginaldo Silva in November. The security team of the company immediately investigated Silva’s claim because it was a great validation of the program it was building and running since 2011.
Bug report well written
Facebook Inc (NASDAQ:FB) said the bug report was well written and included proof of concept. The security team was able to easily reproduce the issue and filed an urgent task after running the proof of concept code to verify the issue, which triggered notifications to the on-call employees of the social network giant.
The security team discovered that the reported vulnerability was huge, and immediately implemented a fix by flipping a flag to cause the company’s XML parsing library to disallow the resolution of external entities. The team said, “This initial fix was simple enough to fit on one line: libxml_disable_entity_loader(true).“
According to the security team, they used a tool called Takedown to remove the fix out of the webservers of Facebook Inc (NASDAQ:FB) after patching the issue. The team explained that they used the Takedown tool because it runs at a low level before much of the request processing happens, and allows engineers to define rules to block, log and modify requests.
“Takedown helped us ensure this line of code ran before anything else for any requests hitting /openid/receiver.php. This was our immediate short term fix,” according to the security team.
Facebook Inc (NASDAQ:FB) managed to fix the bug within 3.5 hours after Silva reported it. He received the $33,500 bug bounty.
Previous bug bounty
Last June, the social network giant also paid a $20,000 bug bounty to a security researcher who found a bug that would allow a user to take over any other account on the website without any human interaction.
An Indian electronics communications engineer received a bug bounty of $12,500 from Facebook Inc (NASDAQ:FB) after reporting an issue that would allow a user to delete an image on a page without human interaction.
Facebook refuses to reward Zuckerberg’s timeline hacker
Last August, Facebook Inc (NASDAQ:FB) refused to reward a white hat hacker who found a vulnerability on the social network’s website because of his unethical method of reporting. Khalil Shreateh hacked the Facebook of CEO Mark Zuckerberg and posted the bug on his timeline after the security team ignored his report through an e-mail sent to them.
Joe Sullivan, chief security officer of Facebook Inc (NASDAQ:FB), explained that Shreateh will not receive any bug bounty because he violated the company’s terms of service.