The country that hosts Facebook’s largest user base, India, is also the country whose cyber security researchers receive the biggest quantum of payouts from the social media behemoth for discovering data breaches and vulnerabilities. As per Facebook, in 2018 the company awarded over $1.1 million to security researchers from more than 100 countries, bringing their total payout to date to over $7.5 million. The payout programme, known as a bug bounty scheme, was started by Facebook in 2011. The top three countries based on the sum of payouts were India, the US, and Croatia.
It was an Indian security expert who played a crucial role in the latest incident of a data breach at the social media company though he didn’t report his discovery under the bug bounty programme. American online publisher Tech Crunch reported on Wednesday the discovery of hundreds of millions of phone numbers linked to Facebook accounts through an exposed server which contained more than 419 million records over several databases on users across markets.
The bug bounty programme
Tech Crunch was tipped off by Sanyam Jain, an Indian security researcher from Udaipur and a member of the nonprofit Hague-based GDI Foundation. Dan Gurfinkel, the security engineering manager for Facebook, said since the company started its bug bounty programme where it collaborates with security researchers from around the world, India has been among the top contributing countries based on the bounty payouts and quality of bug reports. “We greatly value our bug bounty community from India that continuously engages with us to help keep people using our platforms safe,” he added.
Lucideus: The top contirbutor
Saket Modi, CEO and co-founder of Lucideus, says his company is a top contributor to finding cyber vulnerabilities. He said Lucideus discovers many of the findings collected in the National Vulnerability Database (NVD), the world’s biggest database of cyber vulnerabilities maintained by the US government, and that the company has reported around 30 vulnerabilities to various social media companies over the past two years. In response to the latest breach discovered by Jain, Facebook said the data set is old and appeared to have information obtained before it made changes last year to remove people’s ability to find others using phone numbers. But concerns have been mounting since Jain’s discovery. (Pic: Lucideus/Facebook)
“If we take Facebook’s comments at face value, we are happy people can’t do it now. But before they made changes, through an automated scraping methodology, a person/script could download the phone numbers and even in some cases the names and gender and location of 419 million people. It does not speak highly of Facebook. There are saying today it does not exist but they have been there for more than a decade. Before last year, what was happening,” said Modi of Lucideus. In response to ET’s queries, Facebook did not specify if any Indian users had been impacted. “The dataset has been taken down and we see no evidence that Facebook accounts were compromised. The underlying issue was addressed as part of a newsroom post on April 4, 2018 by Facebook’s chief technology officer,” said a Facebook spokesperson.