[ Developer]

Back in 2011, Facebook launched its bug bounty program, wherein it should pay users disclosing security bugs which have previously gone undiscovered.

The company kindly reminded people who it wouldn’t sue them in the event that they gave it an inexpensive period of time to reply to the report before making any information public.

This week, the corporate announced that it awarded its biggest bug bounty payout ever – $33,550, which went to Reginaldo Silva.

“In November, we were reading through incoming bug reports and stumbled on a claim we would have liked to research straight away: arbitrary file reads,” the corporate said in an update at the Facebook Bug Bounty Page. “The report was well written and included proof of concept code, so we were capable of reproduce the difficulty easily. After running the proof of concept to confirm the problem, we filed an urgent task—triggering notifications to our on-call employees.”

The issue was an XML external entities vulnerability, that could have allowed someone to read arbitrary files at the webserver.

Facebook said it immediately implemented a fix by flipping a flag to cause its XML parsing library to disallow the resolution of external entities.

The company said, “This initial fix was simple enough to slot on one line: libxml_disable_entity_loader(true);.”

You can read Facebook’s full explanation within the post below. A link to Silva’s writeup is within.

Image via Facebook

Facebook Awards Biggest Bug Bounty Payout Yet 6 hours ago