Last month, a security researcher named Anand Prakash stumbled on a major flaw in Facebook's account security. When an account is reset, Facebook sends a 6-digit PIN to the user's phone, using that PIN as a temporary password while the account is reset. But while Facebook normally cuts you off after ten or twelve bad guesses, Prakash noticed those protections were missing on beta.facebook.com, where developers often deploy new features that aren't ready for facebook.com. But since every Facebook account is also available on beta.facebook.com, the resulting bug let him flood the page with PIN guesses, effectively letting him break into any account he wanted.
The bug was the result of a change deployed to the beta page a few days earlier, and doesn't seem to have been widely exploited before it was discovered by Prakash. Still, it's a serious security problem, and exactly the type of attack that bug bounties are meant to solve. Prakash sent in the bug through Facebook's report vulnerability page, and the next day, the company confirmed that it had been fixed. Eight days after that, Facebook awarded him $15,000 for reporting the issue.
It's a high payout for a relatively simple bug, but like many companies, Facebook's bug bounties are valued according to risk rather than just complexity. (Facebook's White Hat page says payouts are "based on risk, impact, and other factors.") If the change Prakash found had been deployed to Facebook.com, it could have triggered widespread user attacks, making this one of the more dangerous bugs a researcher could find.
"One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production," Facebook said in a statement. "We're happy to recognize and reward Anand for his excellent report." Facebook has made more than $4.3 million in payouts to more than 800 researchers since the bug bounty program began in 2011.