Facebook released a new payout guideline on Thursday to help vulnerability researchers better understand its bounty decisions for certain flaws.
In the section “Who can search you up using the email address or phone number you provided,” the new guideline specifically addresses security vulnerabilities in contact point visibility settings.
According to the new policy, Facebook will pay up to $10,000 “for reports that demonstrate the ability to obtain one or more contact points (i.e. phone number or email) from an account that has their ‘Who can look you up using the email address or phone number you provided’ settings configured to ‘Only Me’ or ‘Friends,’” the social media platform explains.
Facebook also says that when deciding how much to pay a researcher, it considers things like whether the exploit requires user involvement, if the attacker needs to be in a privileged position, and whether the attack is applicable to Workplace or not. The bigger the bounty granted, the fewer mitigating variables detected.
A security researcher was awarded a $40,000 bounty for a report explaining how a pair of vulnerabilities may be chained to take over user accounts, partially under the newly released criteria and partially under the company’s account takeover guideline.
One of the flaws allowed a researcher to find the user ID of a valid user email or phone number, which could then be used to force a password reset for the user ID by brute-forcing the verification code required by Facebook to confirm the phone number contact point.
According to the social media network, there was no proof of harmful usage of this scenario. The problems have been resolved.
According to Facebook, another researcher was offered a $15,000 reward for discovering that the default setting for newly-added phone numbers and emails was set to “Friends” rather than “Only Me,” despite the fact that this was displayed to the user when submitting contact points.
“We rectified these settings for users whose visibility configuration we believe was impacted by the email and phone number vulnerabilities. To prevent future vulnerabilities, we rolled out a remedy across all of our products and predicated our reward award on the largest probable damage. “We discovered no evidence that this information was scraped,” Facebook says.
The news comes less than a week after the social media platform introduced Researcher Collaboration Payouts, which allow reward payouts to be split among numerous researchers who collaborated on a single submission. These rewards should include circumstances in which research teams collaborate to find complex bug chains with significant security implications.