Facebook to Expand Bug Bounty Program

Now the project involves third-party websites and applications
19 September 2018   1393

Facebook announced the expansion of the reward program for finding errors associated with fraudulent access tokens.

When authorized in an application via Facebook, the user receives a unique access token. Once in the hands of an attacker, such a token can be used on the basis of permissions set by its owner.

Now the project involves third-party sites and applications, namely:

  • Instagram;
  • Internet.org / Free Basics;
  • Oculus;
  • Onavo;
  • Open Source platform (based on Facebook);
  • WhatsApp.

Developers Facebook updated the terms of service, which included the main criteria for filing a complaint about the error. The main one is that the complaint should have a clear confirmation, demonstrating how to receive tokens. Claim can be made by contacting Facebook security.

The Facebook team is ready to pay $ 500 for the vulnerability found in the application or on the site, if the report on it is compiled correctly. Complaints will be accepted only if the user has found an error with the help of passive information viewing and did not use it in any way for own purposes.

The company also established a list of problems for which this program does not apply:

  • spam and social engineering techniques;
  • denial of service attacks;
  • introduction of content if the risk is not proven;
  • security vulnerabilities in third-party applications and on third-party sites integrated with Facebook (including most of the pages on apps.facebook.com);
  • execution of scripts on domains-sandboxes (for example, fbrell.com or fbsbx.com).

Raising the issue of security and speed of problem-solving, the developers of Facebook have created a tool called SapFix, which automatically generates and implements patches. The development is based on artificial intelligence, which independently finds errors in the design and offers correction options.

LLVM 10.0.0 to be Released

New version of the popular development toolkit brings, among other things, support for the C++ Concepts
26 March 2020   949

After six months of development, the release of the LLVM 10.0 project, a GCC-compatible toolkit (compilers, optimizers, and code generators), compiling programs into an intermediate bitcode of RISC-like virtual instructions (a low-level virtual machine with a multi-level optimization system), is presented. The generated pseudo-code can be converted using the JIT compiler into machine instructions directly at the time of program execution.

Among the new features of LLVM 10.0, there are support for C ++ Concepts (C ++ Concepts), termination of the launch of Clang in the form of a separate process, support for CFG checks (control flow guard) for Windows, and support for new CPU features.

The main innovations of LLVM 10.0:

  • New interprocedural optimizations and analyzers have been added to the Attributor framework. The prediction of the state of 19 different attributes, including 12 attributes of 12 LLVM IR and 7 abstract attributes such as liveness, is provided.
  • New built-in compiler matrix mathematical functions (Intrinsics) have been added, which, when compiled, are replaced by effective vector instructions.
  • Numerous improvements to the backends for the X86, AArch64, ARM, SystemZ, MIPS, AMDGPU, and PowerPC architectures. Added support for Cortex-A65, Cortex-A65AE, Neoverse E1 and Neoverse N1 CPUs. For ARMv8.1-M, ​​the code generation process has been optimized (for example, support for loops with minimal overhead has appeared) and support for auto-vectorization using the MVE extension has been added. Improved support for CPU MIPS Octeon. PowerPC includes vectorization of mathematical routines using the MASSV (Mathematical Acceleration SubSystem) library, improved code generation, and optimized memory access from loops. For x86, the processing of vector types v2i32, v4i16, v2i16, v8i8, v4i8 and v2i8 has been changed.
  • Improved code generator for WebAssembly. Added support for TLS (Thread-Local Storage) and atomic.fence instructions. Significantly expanded support for SIMD. WebAssembly object files added the ability to use function signatures with multiple values.
  • When processing cycles, the MemorySSA analyzer is used to determine the dependencies between different memory operations. MemorySSA can reduce compilation and execution time, or can be used instead of AliasSetTracker without sacrificing performance.
  • The LLDB debugger has significantly improved support for the DWARF v5 format. Improved build support with MinGW and added the initial ability to debug Windows executable files for ARM and ARM64 architectures. Added descriptions of options offered when autocompleting input by pressing tabs.
  • Enhanced LLD Linker Features. Improved support for the ELF format, including full compatibility of glob templates with the GNU linker, added support for the compressed debug sections ".zdebug", added the PT_GNU_PROPERTY property to determine the .note.gnu.property section (can be used in future Linux kernels), implemented modes "-z noseparate-code", "-z separate-code" and "-z separate-loadable-segments". Improved support for MinGW and WebAssembly.

Get more at the release notes.