Brazilian techie gets biggest Facebook payout to date

Brazilian techie gets biggest Facebook payout to date

Summary: Reginaldo Silva received $33,500 from the company as a reward for detecting a bug in its systems


Facebook announced its largest payment to date to a Brazilian computer engineer for finding one of the worst bugs it could have in its systems.

Reginaldo Silva received $33,500 from the company for his discovery, which was related to an XML external entity vulnerability within a PHP page hosted on its servers utilizing OpenID authentication.

Silva found that the glitch could have allowed hackers to read almost any file as well as open arbitrary network connections on the social network's web server.

On his website, information security expert Silva detailed the entire process of the bug detection, which began in September 2012 when he found a Google flaw that affected libraries implemented in Java, C#, PHP, Ruby, Python and Perl of services including Google properties App Engine and Blogger.

According to the engineer, Google paid him $500 for detecting that flaw.

Despite it being the largest Facebook Bug Bounty to date, Silva seemed to be disappointed that the reward wasn't more generous. He made a reference to a Bloomberg article from July 2012 quoting Facebook’s director for Security Incident Response, Ryan McGeehan, as saying, “If there’s a million-dollar bug, we will pay it out.”

"Unfortunately, I didn't get even close to the one-million dollar payout cited above," Silva says in his blog.

"If you have any comments about how much you think this should be worth, please share them," he adds.

Topics: Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Thinking bug

    Dear Google, there is a bug in your thinking. The reward system gets you workers with no HR expenses, no office space, no benefits...etc. If the possibility of a million gets cut down this far, why would anyone still be motivated to work for you for what will probably be for free? Instead what you should do is establish some definitions. What is a million dollar bug? What is a $33.5k bug? Then better you should overpay than underpay. You still come out ahead because you are managing expectations, which encourages participation.

    So for instance, let's look at this bug report I am writing here. It isn't about a bug in your software but in your software bug reporting reward system. Close enough. Should you pay me? Of course, because the PR will be phenomenal. Unlike Reginaldo, I won't complain about $33,500, because honestly, I didn't work that long on this.
    Producto Endorsair