Internet access available to everyone across the world, Facebook founder Mark Zuckerberg is working to make the Internet a more secure place as well.
Till now, a number of large technology companies have bug bounty programs to reward researchers and cyber enthusiast who contribute in the security of Internet by finding out security holes in software or web platforms, and the social networking giant Facebook is the latest one to do so.
Facebook and Usenix have together implemented the Internet Defense Prize — an award recognizing superior quality research that combines a working prototype with great contributions to securing the Internet, Facebook announced Thursday at the annual USENIX Security Symposium in San Diego.
Also, Facebook announced the first award under its Internet Defense Prize, and crowned a pair of German researchers for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications” — a seemingly viable approach to detecting vulnerabilities in web applications.
The duo used static approach to detect “Second-order vulnerabilities” in web applications that are used to impose harm after being stored on the web server ahead of time. Second-order vulnerabilities involve uploading malicious script/payload to the targeted web servers, allowing an attacker to exploit it remotely.
“For example, XSS attacks that target the application’s users are worse if the payload is stored in a shared resource and distributed to all users,” paper explained.
It is very difficult to detect Second-order vulnerabilities when analyzing the source code statically, but "By analysing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data," said researchers, who revealed 159 second-order vulnerabilities in six popular web applications including several critical zero-day holes.
The researchers, Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany, received $50,000 prize money by an award committee made up of Facebook and USENIX representatives. The committee saw a "clear path" for using the money to build the research into technology that could be implemented in the real world.
The Internet Defense Prize is an ongoing program and the committee is soliciting new entries for a future prize, according to John “Four” Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize.
"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn wrote in a blog post. "Our answer is the Internet Defense Prize, an award to recognize superior quality research that combines a working prototype with significant contributions to the security of the internet — particularly in the areas of protection and defense."
The committee is inviting researchers and security enthusiasts to submit their work to Facebook for consideration to be a future recipient of the Internet Defense Prize, and said that the award amount may increase depending on the strength of the submission, or it may hold onto the funds if no project meets the bar.
Last November, Facebook has also helped create the Internet Bug Bounty, similar to the Internet Defense Prize, in order to reward researchers for finding large-scale Internet vulnerabilities in open source software projects. The Internet Bug Bounty is hosted by HackerOne, which also includes other large companies such as Microsoft and Google.