Facebook is making a unique move with its bug bounty program, expanding its scope to include third-party apps and websites that may be exposing Facebook user tokens improperly.
While many software and technology companies, both large and small, have some variety of bug bounty in place, this appears to be the first program that will reward researchers for reports on this kind of third-party data exposure. It’s an interesting step by Facebook and one that illustrates how much bug bounty programs have matured and expanded in a few short years. Access tokens are an important piece of Facebook’s ecosystem, as they allow users to authenticate to outside apps and sites by using their Facebook credentials. Including them in the bounty program highlights the value that the company places on them.
“Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app. The user decides what information the token and app can access as well as what actions can be taken. If exposed, a token can potentially be misused, based on the permissions set by the user,” Dan Gurfinkel, a security engineering manager at Facebook, said.
“We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control.”
Facebook will pay a minimum of $500 for reports of issues with access tokens, and there are some restrictions on how researchers can look for problems. For example, researchers can’t actively manipulate requests sent to or from their devices to third-party apps or sites. The discovery process has to come through passive observation of traffic from a researcher’s own device. Once Facebook confirms that a report is valid, the company’s engineers will work the third-party company to help address the problem.
“Apps that do not comply with our request promptly will be suspended from our platform until the issue has been addressed and a security review has been conducted. We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate,” Gurfinkel said.
“It’s a direct extension of Facebook trying to secure its user base. Facebook is raising the bar for developers on its platform."
Bug bounty programs have been around for decades in one form or another, but gained more relevance and prominence in the middle of the last decade as technology companies began to embrace the security research community as an asset rather than a hindrance. Companies such as Google, Microsoft, Mozilla, Apple, Uber, and many others have established bounty programs, and specialized firms such as Bugcrowd and HackerOne have sprung up to serve as platforms to manage those programs and serve as a go-between for researchers and vendors. Even the Department of Defense has gotten in on the game, with the Hack the Pentagon and Hack the Army initiatives.
Though bounty programs have spread widely in recent years, they’re not a one-size-fits-all solution to vulnerability disclosure, nor are they all created equal. Facebook is in a unique position to go down the road it did with third-party apps and sites because of the power it holds over its developer ecosystem. That’s not a move that many other companies could make, at least not in the same way. Facebook, like Apple, does a tremendous amount of vetting of the developers it lets on its platform and the value of being on that platform is quite high for those developers.
“I look at this as Facebook taking control of its developer ecosystem in a very strong way and I don’t think that anyone who doesn’t have the depth of experience that Facebook has in securing its own codebase and platform could possibly pull this off,” said hacker Katie Moussouris, CEO of Luta Security, a firm that advises companies on vulnerability disclosure and bug bounty programs.
“It’s a direct extension of Facebook trying to secure its user base. Facebook is raising the bar for developers on its platform, and that’s why the program is structured like that.”
There are a few other companies that might be able to build a similarly structured bounty program for their app ecosystems, such as Apple or Twitter. But the developer communities associated with those companies aren’t exactly the same as Facebook’s so it’s no sure bet.