As per Facebook, in 2018, the company awarded over $1.1 million to security researchers from more than 100 countries, bringing the total payout till date to over $7.5 million. The payout programme, known as a bug bounty scheme, was started by Facebook in 2011. The top three countries based on the sum of payouts were India, the US and Croatia.
American online publisher Tech Crunch reported on Wednesday the discovery of hundreds of millions of phone numbers linked to Facebook accounts through an exposed server that contained more than 419 million records over several databases on users across markets. Tech Crunch was tipped off by Sanyam Jain, an Indian security researcher from Udaipur and a member of the Hague-based nonprofit, GDI Foundation.
Dan Gurfinkel, the security engineering manager for Facebook, said since the company started its bug bounty programme — where it collaborates with security researchers from around the world — India has been among the top contributing countries based on the bounty payouts and quality of bug reports. “We greatly value our bug bounty community from India that continuously engages with us to help keep people using our platforms safe,” he added.
Gautam Kumawat, who trains state police departments on social media and cybercrime and has been an awardee in Facebook’s programme, said the bug bounty community from India has grown in keeping with the popularity of the platform here.
Vulnerable Data Set Old: Facebook
Last month, Indian security researcher Laxman Muthiyah from Chennai received $30,000 from Facebook for detecting a major security flaw and demonstrating how multiple Instagram accounts could be hacked within minutes. He won $10,000 again this month for hunting a bug on the same platform. Muthiyah made his findings public on his blog The Zero Hack on July 29.
Saket Modi, CEO and co-founder of Lucideus, says his firm is a top contributor to finding cyber vulnerabilities. He said Lucideus discovers many of the findings collected in the National Vulnerability Database, the world’s biggest database of cyber vulnerabilities maintained by the US government, and that the company has reported around 30 vulnerabilities to various social media firms over the past two years. In response to the latest breach discovered by Jain, Facebook said the data set is old and appeared to have information obtained before it made changes last year to remove people’s ability to find others using phone numbers. But concerns have been mounting since Jain’s discovery. In response to ET’s queries, Facebook did not specify if any Indian users had been impacted. “The dataset has been taken down and we see no evidence that Facebook accounts were compromised. The underlying issue was addressed as part of a newsroom post on April 4, 2018 by Facebook’s chief technology officer,” said a Facebook spokesperson.