Ryabitskaya Elena / Shutterstock
In its largest payout to date, Facebook awarded a security researcher $33,500 after he found a system vulnerability that could have had major repercussions on the social network’s systems.
The researcher, Brazilian computer engineer Reginaldo Silva, discovered vulnerabilities in OpenID, a technology which Facebook can use to help people who have lost their passwords to verify their identities. After Silva found an exploit in Facebook’s handling of OpenID requests, he discovered he potentially had access to files containing lists of Facebook user accounts.
In a personal blog post, Silva wrote that he reported the vulnerability immediately, and Facebook implemented a fix for the bug within hours.
“We knew we wanted to pay out a lot because of the severity of the issue,” Facebook’s Bug Bounty team said in a post. “As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.”
Facebook has long hosted a bug bounty program, inviting security researchers to report any flaws discovered in the company’s systems for a reward. The practice of finding and discovering potential vulnerabilities — known as “White Hat hacking” — is a long established one, an exercise for those who want to help improve system security rather than exploit it. To date, Silva’s payday was the largest Facebook has paid out to a hacker since it began its program in 2011.
Though for his benevolence (and such a major bug), some say Silva’s payout should have been higher. One forum participant on the online community Hacker News pointed to a similar program hosted by Microsoft, in which the company paid a security researcher $100,000 for his find.
Still, karma, a day in the sun and 33 grand aren’t too bad for a few days of work.