In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.
Facebook has conducted a comprehensive audit of the ads system and has fixed several issues. However, the company hopes independent security experts will identify the flaws its own team might have missed.
“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Facebook Security Engineer Collin Greene wrote in a blog post last week.
Security researchers have reported ads-related issues to Facebook in the past, including an arbitrary local file read via a .zip symlink, a flaw that could have been leveraged to redeem the same ads coupon multiple times without expiry, and a bug that allowed for the name of an unpublished page to be retrieved via the Ads Create Flow by guessing its Page ID.
“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” Greene said.
Up until now, Facebook has paid out over $3 million to researchers who have contributed to making the social networking website more secure.
Facebook is not the only company to increase bug bounties. In late September, Google announced rewards of up to $15,000 for serious vulnerabilities in the Chrome Web browser.