Facebook announced its largest payment to date to a Brazilian computer engineer for finding one of the worst bugs it could have in its systems.
Reginaldo Silva received $33,500 from the company for his discovery, which was related to an XML external entity vulnerability within a PHP page hosted on its servers utilizing OpenID authentication.
Silva found that the glitch could have allowed hackers to read almost any file as well as open arbitrary network connections on the social network's web server.
On his website, information security expert Silva detailed the entire process of the bug detection, which began in September 2012 when he found a Google flaw that affected libraries implemented in Java, C#, PHP, Ruby, Python and Perl of services including Google properties App Engine and Blogger.
According to the engineer, Google paid him $500 for detecting that flaw.
Despite it being the largest Facebook Bug Bounty to date, Silva seemed to be disappointed that the reward wasn't more generous. He made a reference to a Bloomberg article from July 2012 quoting Facebook’s director for Security Incident Response, Ryan McGeehan, as saying, “If there’s a million-dollar bug, we will pay it out.”
"Unfortunately, I didn't get even close to the one-million dollar payout cited above," Silva says in his blog.
"If you have any comments about how much you think this should be worth, please share them," he adds.