India is the top bug reporting country across the world. In India, the security community is very strong and it is growing every day. India got the first rank in bugs reporting and it is the most bug paid country among 127 countries across the globe.
About researchers Conference At Nullcon(Goa),India
Team Facebook went to Nullcon (Goa) in India. It was the India’s largest InfoSec conference to meet with researchers from bug bounty program.
Naturally, we were eager to meet some of these researchers who have helped us better protect the people on Facebook.
One of the best ways we can advocate for the security researcher community is to acknowledge that the success of our bug bounty program isn’t just about the individual vulnerability reports we receive.
It’s also about building positive relationships with thousands of people whose technical and cultural experiences may differ from our own.
These relationships require trust and we appreciate that so many researchers in India have demonstrated their trust in us through the numerous bugs they’ve reported over the years.
The Facebook bug bounty program pays out based on a bug’s risk, rather than its complexity or cleverness. This means you can maximize the value of your report by focusing on high-impact areas and submitting good quality report.
About Big Bounty Program
The bug bounty program was launched in 2011.bug bounty program has received 2,400+ valid submissions and awarded more than $4.3 million to 800+ researchers around the world.
As the program matures and traditional security issues like XSS and CSRF become more difficult to find, many of our top participants are focusing their research on our business logic.
As Facebook grows, we’ve gotten better at protecting against traditional security issues very early in our stack, using tools and frameworks such as XHP and React.
Facebook team classified 102 bug bounty submissions as high impact, an increase of 38 percent over 2014. This growth reflects two particularly important trends.
First, the quality of reports receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook.
Some researchers include attack scenarios in their reports, which is also helpful. The best reports come from researchers who prioritize a few important issues instead of submitting a large number of reports about various low-impact bugs.
The second trend is that we’re receiving more reports about inconsistencies in our business logic, which give us the ability to eradicate entire classes of vulnerabilities all at once.
With our vantage point (and source code access), we can apply a researcher’s findings to our entire codebase and if we find any unintended or potentially confusing behavior, the report is quickly assigned as high impact.
Both high-quality reports and the focus on business logic make it easier for our team to better evaluate high-impact submissions.