Facebook rewarded $33,500 as bounty for Remote Code Execution

Security concern the major role on the company's infrastructure internally or externally. For this concern many of the firms have announced the bug bounty programs. Firms like Google, Facebook, Microsoft, Yahoo and others too have started a bounty program for the hackers and researcher to give reward of there work.
Last year, Facebook have gave about $8,500 to the Indian researcher for reporting a bug on the Facebook, which was the highest reward paid by the Facebook as bounty. But Recently this reward amount has been broken by the Brazilian hacker "Reginaldo Silva", who was rewarded a bounty of $33,500.

Silva have reported a Remote Code Execution (RCE) vulnerability to Facebook. Vulnerability allows the attacker to see the any files from the server and also to execute any malicious code on the server.

Earlier Silva had discovered XML External Entity Expansion bug in the Drupal that handled OpenID. With the same exploit he found Google's App Engine and Blogger also gets effected. This bug is not much effective to the Google server, but then also Google rewarded $500 as a bounty to him.

After this, Silva learned that Facebook also use OpenID technology on "Forget Password" Page. So he tested his exploit on it, and he managed to discover XXE bug in Facebook that allowed him to see the "etc/password" files from the server.

He have reported a bug to facebook, and Facebook security team responded him quickly and fixed the bug with in 3.5 hours.

After getting fixing the report from Facebook, he asked to managed his access to further more. Silva test the vulnerability again and reported that the issue is fixed. For this bug report Facebook awarded reward of $33,500 to Silva, which is the highest reward ever given by Facebook to any researcher.