Hey Facebook, a Bug Bounty Program Isn’t a Replacement for Properly Reviewing the Security of Your Code
Earlier today we disclosed that two WordPress plugins developed by Facebook have vulnerabilities due to failing to do security basics. While these are relatively minor vulnerabilities, Facebook has introduced vulnerabilities on quite a few websites, as one of those has 20,000+ installs and the other 200,000+. In another of their plugins with 100,000+ installs there is minor security issue due to a security basic involved in the vulnerabilities in the other two, though we wouldn’t classify it as vulnerability due to what can be accomplished with that.
Since they are both vulnerabilities in the type of code that is often involved in disclosed WordPress plugin vulnerabilities, those vulnerabilities should not have been missed if security reviews of the plugins were done, even if the entity doing the review wasn’t very good at doing them. So it seems highly unlikely that Facebook got that done with the plugins.
Instead of doing that sort of thing Facebook has a bug bounty program. It isn’t clear if these plugins would fall under that or what they would even pay out any bounty considering language like this:
We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $500. Note that extremely low-risk issues may not qualify for a bounty at all.
But if they would pay out a bounty for both plugins, it would cost them twice as much as we would charge to do security reviews of both plugins. While bug bounties can be useful as additional check on security, at least when it comes to their WordPress plugins, Facebook would be better off financially as well as security wise to get things done right instead of relying on that.
(Even if we were not currently full disclosing vulnerabilities we likely couldn’t participate in that program since they state “You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.” and we need to notify our customers in a timely manner about vulnerabilities in the plugins they use. You also need a Facebook account to be even be able to report a vulnerability to them, which seems like an unnecessary hindrance in people trying to notify them of vulnerabilities.)