How I got a $3,500 USD Facebook Bug Bounty (opens in new tab)

I'm very sorry you had this experience. We would never intentionally ignore a legitimate bug report. If you could send me a message (link in profile) with the e-mail address you used, I'd be happy to get to the bottom of this.

Bummer to hear, I too reported a privacy setting circumvention, and I did receive compensation. I think a big part of it is being the first person to report the error.

To report a security or privacy vulnerability to Facebook use their Report a Security Vulnerability form: http://www.facebook.com/whitehat/report/ Anyway else and you risk your report not being received.

This is why we have "Responsible Disclosure". Basically if you make a good faith attempt to tell the company in private, and they do nothing, it is then not wrong for you to publicly release details of the exploit. This tends to get their attention.

Probably wanted to avoid more flack related to privacy concerns ...

> I'm sure everybody escapes their input.

That's the fundamental mistake. Don't escape input, escape output. If you're interpolating values into queries, that's an output that you need to escape for. If you're sending data to a browser, that's another output that you need to escape for (with different escaping rules).

It wasn't so many years ago that xss wasn't on anyone's radar (just like sql injection years before that). Over the years I've worked on dozens of sites that were exploitable via XSS (many older ones that probably still are).

It's easy to get wrong - especially when you look through the list of different subtle ways you could mis-escape something [0].

The only thing protecting the majority of sites is that exploiting them just isn't desirable.

[0] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She...

I recently found a pretty simple one on https://accounts.google.com/, which is arguably Google's most valued domain. I believe XSS is the most common vulnerability these days. One doesn't even have to be able to inject javascript per se. Only a CSS style is enough in many cases.

The problem I see is that if you aren't using a templating engine which automatically escapes things, people will make mistakes. Even then, there's times that you need to output raw HTML and perhaps end up forgetting to escape the part that was user input.

A few years ago, I found a simple one on the apple.com store. No bounty, but they said thanks in an email! :)

Yes. And SQL injections are still #1 followed by code injection as #2 app vulnerabilities (I believe that's from last year but I wouldn't expect changes). XSS is up there. Why not? It's so easy and there is no excuse for any of this. None. Period.

This is the point of responsible disclosure. Tell the company, wait a week or whatever, if they do nothing, then it's ethnical for you to tell the world.

For XSS? No.

Of course it would. That's the idea of blackhat.

That goes against some people's conscience and they would find it immoral to do the wrong thing.

(i.e. you won't get that warm fuzzy feeling of doing the right thing with the blackhat market)

Do they give you a CC number you can use as much as you want?

Yeah, the OP is a really nice person. Because FB doesn't deserve this, not for $3.5k, maybe for $35k but more for around $350k to $3.5m. Guaranteed by contract.

The security community has curious norms for social status, when viewed from the outside. This is true of many communities. (A brief sampling: karma on HN looks crazy to Japanese salarymen. An open-floorplan desk closest to the window looks crazy to an American academic. "Your name, in small print, first among three names in a dead-tree publication that no one reads." sounds pretty crazy to most HNers.)

There's very curious mating rituals for selling security consulting. Ask Thomas for the specifics -- he's far better versed in them than I am. Suffice it to say that "I owned X -- here's proof" is very much not of zero value while you're doing that dance.

Well, one obvious answer would be, "don't bother to tell them".

Of course, it's hard to think of what else you might do with a Dropbox web finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities. For one thing, vulnerabilities that do have markets tend to have patch lifecycles longer than "instantaneously fixed as soon as target finds out about vulnerability".

You can also choose to publish on your own website. This buys you not a whole lot more than just informing Dropbox, except to signal to the professional market that you will go out of your way not to help people like Dropbox when you find a bug.

Nobody in the whole wide world is obligated to do free research for Dropbox. That's not what pages like these are meant to imply.

"Why even bother to tell them then?"

Believe it or not. There is also the aspect of civil courage, one willing to protect the others from potential harm. Detectify was born out of the frustration that an overwhelming part of the internet is completely unsecure for users. Usually completely unaware users.

Analogy: It's like you walking by a leaning scaffold with people passing under it. You realize that the scaffold is just a hair's breadth from rambling down, potentially harming a bunch of people. Bounty or not, you report to the authorities or the hard hats. Don't you?

Co-founder @ detectify.com Happy to be making a buck while hopefully making the interwebz a safer place ;)

Being on the thanks page looks great on your Résumé, which can land you a nice, high-paying job.

They also give you a pretty large amount of storage for life.

It's more of a "security bug bounty". I'm sure they appreciate your fix, but that's not really the point of the program. ;-)

(This is quite clear from http://www.facebook.com/whitehat/bounty/.)

Publish it afterwards!