New York Times reported that a breach at facebook exposed data of up to 50 million users:
Adversary.io has a good write-up regarding some of the details of the vulnerabilities involved.
Why didn’t the researcher who found these vulnerabilities report it through Facebook’s bug bounty? Could it be that the value of the Facebook data is greater to somebody than the value of the bug bounty that Facebook offers?
Facebook touts on their own blog about their “largest bug bounty payout ever”. The researcher found a remote code execution flaw in Facebook servers and didn’t even get a million dollars, according to her own writeup regarding the vulnerability. As she puts it, “Facebook informed me that, since the bug was now considered to be RCE, the payout would be higher. I won’t disclose the amount, but if you have any comments about how much you think this should be worth, please share them. Unfortunately, I didn’t get even close to the one-million dollar payout cited above. In case you’re wondering, I quoted Mr. McGeehan mostly as a joke.” Mr. McGeehan, head of incident response was quoted in a Bloomberg article as saying “If there’s a million dollar bug, we will pay it out”.
To be clear, exploiting a bug and stealing the data is probably the work of organized cyber-crime, a nation state, or Spectre. Facebook’s own bug bounty program isn’t explicit about the value of such a bug although they recently posted a new program offering rewards for access token exposure. Reading their terms, they say the minimum payout is $500. Essentially, Facebook is gambling on underpaying for bug disclosure, as the whole “bug bounty” movement does.
The way I see it, a bug that enables compromise of 50 million users accounts, is valued somewhere between 1 million and 8 billion dollars. How do I get to such an astronomical figure? Simple.
Facebook, since the New York Times story broke, has lagged the NASDAQ index that it is in by about 1.8% (see graph below). Since Facebook’s market capitalization today is about 444 Billion, 1.8% of that underperformance comes out to about 8 billion dollars.
There could be other reasons why Facebook is down more than the NASDAQ, overvaluation could be one. Even accounting for that, the astronomical loss in value over the past month as compared to the broader index, suggests Facebook is underpaying researchers for these sorts of bugs. There are probably solutions for this, like having an independent organization evaluating the “value” of bug disclosure.
As far as I’m concerned, the No More Free Bugs movement has had a huge impact on the market for vulnerabilities, and getting researchers paid something. Vendors have demonstrated that the search for bugs can be somewhat lucrative. Maybe it’s time though, for the market to pay “market value” of 0-day.