[ad_1]
As we shut out this yr, we’re sharing various updates on our work to guard individuals around the globe towards numerous threats. As a part of this, we’re sharing some updates from our bug bounty program over the previous yr, a take a look at how we’re working with exterior researchers to assist safe our digital actuality (VR) and blended actuality metaverse know-how, and new payout tips with bounty quantities as excessive as $300,000.
We obtained lots of of impactful bug reviews in 2022 from researchers everywhere in the world which have helped to make our neighborhood safer, and we paid out greater than $2 million in bounty awards.
Listed here are some highlights from our bug bounty program:
- Since 2011, we now have paid out greater than $16 million in bug bounties.
- Since 2011, we now have obtained greater than 170,000 reviews, of which greater than 8,500 had been awarded a bounty.
- To date in 2022, we now have awarded greater than $2 million to researchers from greater than 45 international locations.
- This yr, we obtained round 10,000 reviews in complete, and issued bounties on greater than 750 reviews.
- The highest three international locations primarily based on bounties awarded this yr are India, Nepal and Tunisia.
Connecting the Bug Bounty Group With the Metaverse
This yr, we prioritized additional integrating our bug bounty program into our journey to the metaverse by:
Highlighting the Scope of Our Program: Right now, we’re updating our phrases to focus on that our newest merchandise, Meta Quest Professional and the Meta Quest Contact Professional controllers, are eligible for the bug bounty program.
Updating Payout Pointers: We’re including new payout tips for VR know-how, together with bugs particular to Meta Quest Professional. We’re among the many first bug bounty applications to set payout tips for VR and blended actuality units and we’ll proceed to replace and alter because the business evolves.
Placing Our Expertise within the Arms of Researchers: As a result of the bug bounty house is comparatively new for a lot of, we labored this yr to make our {hardware} know-how extra accessible to the researcher neighborhood to allow them to discover and report bugs. For instance, we made our VR know-how a spotlight for our annual BountyCon convention, the business’s solely common convention for bug hunters. One in every of our highest-rated classes at this yr’s convention was a presentation on easy methods to hunt for bugs throughout our VR headsets and sensible glasses. Following this session, we invited researchers to discover Meta Quest 2 units and use them throughout our reside hacking occasion.
One of many bugs we rewarded as a part of the convention was submitted by our long-time researcher Youssef Sammouda, who reported a difficulty in Meta Quest’s oAuth circulate that would have led to a 2-click account takeover. We’ve fastened this difficulty, our investigation has discovered no proof of abuse and rewarded this report a complete of $44,250, together with program bonuses.
New Payout Pointers
To encourage analysis into particular areas, we’re releasing up to date payout tips for cellular distant code execution (RCE) bugs, along with model new payout tips for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.
These new tips vary as excessive as $130,000 for ATO reviews and $300,000 for cellular RCE bugs, making our Bug Bounty program one of many highest paying within the business.
These tips are meant to set a median most payout for a specific bug class and describe what mitigating elements we take into account in figuring out the bounty to assist researchers prioritize their searching. Finally, every report is evaluated on a case-by-case foundation and will, in some circumstances, be awarded larger than the cap relying on the internally assessed affect.
Bug Highlights
The next are some examples of impactful bugs that we awarded beneath our new tips:
Account Takeover and Two-Issue Authentication Bypass Chain: We obtained a report from Yaala Abdellah, who recognized a bug in Fb’s cellphone number-based account restoration circulate that would have allowed an attacker to reset passwords and take over an account if it wasn’t protected by 2FA. We’ve fastened this bug and located no proof of abuse. We rewarded the researcher our highest bounty at $163,000, which displays its most potential affect and program bonuses. Whereas we had been investigating, the researcher was capable of construct on an earlier discover to chain it to a separate 2FA bypass bug. We’ve fastened this difficulty and rewarded the researcher an extra a bounty of $24,700, together with program bonuses.
2FA Bypass: We additionally fastened a bug reported by Gtm Mänôz of Nepal, which might have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting difficulty to brute drive the verification pin required to substantiate somebody’s cellphone quantity. We awarded a $27,200 bounty for this report.
Thanks to the bug bounty neighborhood for an excellent yr — we’re excited to work collectively once more in 2023.
[ad_2]
Source link
