Facebook has a couple dozen contractors that employ thousands of people. These contractors fall out of the scope of Facebook’s Bug Bounty in most cases, and the contractors do not have a way to contact them about security vulnerabilities or a defined process.
It is an enormous legal arbitrage finance maneuver it seems. These contractors are awarded very large contracts in exchange for essentially assuming huge legal liability. They are gambling nothing bad will happen. It makes sense from a business perspective for both parties.
These contractors can be quickly identified via some searching online. From there if you have map their DNS infrastructure via common tools like https://dnsdumpster.com, you will very poorly (or at least quickly) set up AWS/Azure infrastructures running software behind on patching usually from 1-3 years, and having documented exploits that can be triggered remotely without previous auth.
The situation is very sad, and I would encourage the engineers at Facebook to at least ask their managers if they think this serves the company. The good news is of course it can be fixed quickly and dramatically. OS updates and a few L4 firewall rules for the host is often all that is needed.
It is an enormous legal arbitrage finance maneuver it seems. These contractors are awarded very large contracts in exchange for essentially assuming huge legal liability. They are gambling nothing bad will happen. It makes sense from a business perspective for both parties.
These contractors can be quickly identified via some searching online. From there if you have map their DNS infrastructure via common tools like https://dnsdumpster.com, you will very poorly (or at least quickly) set up AWS/Azure infrastructures running software behind on patching usually from 1-3 years, and having documented exploits that can be triggered remotely without previous auth.
The situation is very sad, and I would encourage the engineers at Facebook to at least ask their managers if they think this serves the company. The good news is of course it can be fixed quickly and dramatically. OS updates and a few L4 firewall rules for the host is often all that is needed.
EDIT: changed a plural