Facebook awarded $50,000 to Johannes Dahse and Thorsten Holz, two researchers from Ruhr-Universität Bochum in Germany, for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
According to a Facebook post, the researchers used static analysis to detect “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time.
“In addition to their impressive results, the committee responded well to their implementation approach,” said John Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize.
“The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology. We’re very excited to see what they do next. We’ll be getting a status report in about a year.”
Facebook approached USENIX to help with evaluating the submissions it received this year, with the goal of recognizing superior quality research that combines a working prototype with significant contributions to the security of the internet – particularly in the areas of protection and defense.
Researchers are invited by Facebook to submit their work for consideration to be a future recipient of the Internet Defense Prize, and said that the award amount may grow larger if an idea is particularly strong, or it may hold onto the funds if no project meets the bar.
In the last few years, Facebook has awarded over $3 million and built important relationships with security researchers from around the world who report software bugs to them.
Facebook has also helped create the Internet Bug Bounty to reward bugs found in open source software projects, contributed to initiatives like the Core Infrastructure Initiative that fund critical security software needs, and released open source software to help other developers incorporate security by default (Conceal, MIDAS).”
Source: infosecurity Magazine