Web App Pen Testers

Maybe make some extra Christmas cash?

Facebook pays $40,000 "bug bounty" to hackers - Aug. 30, 2011

Find more posts tagged with

Comments

So what keeps my ISP (Verizon) from cancelling my account for attempting to hack into Facebook? Maybe people should do it anonymously from Starbucks. And there's got to be a contract to sign with Facebook stating the rules of engagement.

These types of offers may be small change money-wise, but if you do get paid for finding something, you can brag about it on your CV, and that's a great way to start a career as a pen tester.

veritas_libertas

JDMurray wrote: »

So what keeps my ISP (Verizon) from cancelling my account for attempting to hack into Facebook? Maybe people should do it anonymously from Starbucks. And there's got to be a contract to sign with Facebook stating the rules of engagement.

These types of offers many be small change money-wise, but if you do get paid for finding something, you can brag about it on your CV, and that's a great way to start a career as a pen tester.

You're crazy if you don't get a signed document. If you decide to do it at Starbucks, make sure you read the fine print before you load BackTrack

chrisone

This is also dangerous for facebook, say you deliberately hack and bring them down or deface the website. You get caught, and sued, you easily have an out clause because you can say you were trying to help facebook and possibly get paid for your work.

I saw this as an immediate get out of jail free card for anonymous or LULZsec or any other hacktivist groups. It can also be a form of entrapment by Facebook.

the_Grinch

"We worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information," Sullivan wrote.

The Electronic Frontier Foundation, an advocacy group that often weighs in on Internet-related legal issues, is a fan of that approach.

"We hope to see others follow Facebook's lead and go even further," the EFF wrote last year about Facebook's security policy. "The more transparent companies are about their approaches to vulnerability disclosure -- and the more they encourage users to come forward -- the more often they will learn about problems that need to be fixed."

Obviously that isn't going to help you with your ISP, but seems there is some sort of policy to cover your butt. Always look at the fineprint, I'd have to read the security policy to see how you are suppose to identify yourself as a professional or researcher. Loved to see someone get caught and using testing as the excuse:

Cop: "So you broke into your ex's Facebook and called her nasty things?"
You: "Um it was a security audit I was doing and I found a bug"
Cop: "Did you report the bug?"
You: "Um, as soon as I get out of here I will, promise I intended too!"

hiddenknight821

Even if I'm an InfoSec pro, I would rather not participate in this. If the anonymous finds out that you are helping them out, then you are probably screwed. That's just my theory.

alan2308

Sounds like Facebook getting worried now that Anonymous has announced that they're coming for them.

idr0p

1.) It says they give you money for finding BUGS not exploits there is a difference they are not asking you to hack them.

2.) It actually is a good more on facebooks part. they get "scanned" all the time by random people anyway might as well learn from them. I relate it do documentries where people are doing stuff illegal.. they are protected for educational purposes.

JDMurray

idr0p wrote: »

1.) It says they give you money for finding BUGS not exploits there is a difference they are not asking you to hack them.

Anything present or missing in a hard/software system that the designers and implementers didn't intend is considered to be a "bug." Therefore, assuming the designers/implementers didn't intend to create exploitable aspects of their system (i.e., vulnerabilities), all exploits are considered proof of the existence of bugs. One could say the true 'hackers" of any system development group are the people in Quality Assurance, who are constantly trying to break (i.e., "hack") what the developers are building.

So go forth and "QA" Facebook--but only with permission, and by following Facebook's rules.