Facebook awarded a Russian security researcher $40,000 — its biggest payout ever — for discovering a flaw that could have enabled hackers to hide malicious code in image files uploaded to Facebook.
Andrew Leonov discovered Facebook was susceptible to a "remote code execution" flaw in ImageMagick, an open-source photo editing tool.
The bug was actually found and patched by Facebook last year, but Leonov found he could bypass the patch Facebook had devised. Leonov reported the problem to Facebook on Oct. 16 and the company patched the hole within three days. "Great bug from a responsible reporter," wrote Alex Stamos, Facebook's information security chief, in a Twitter post.
Great bug from a responsible reporter who got $40K. https://t.co/3pjis2EQGq— Alex Stamos (@alexstamos) January 17, 2017
Facebook says it was fairly certain the vulnerability had not yet been exploited. Prior to Leonov's discovery, the social networks's biggest payout was $35,000 for a security researcher who discovered a bug that affected Facebook’s login process.
Facebook has been a huge proponent of the bug bounty concept, having paid more than $5 million to white hat hackers since it started the program six years ago. Bug bounty programs remain an attractive and effective option for company’s looking to find and patch security holes they haven’t been able to find on their own.