Techtonica and Semmle: How a Facebook Fizz bug bounty is benefiting a non-profit

June 18, 2019

Category

Technical Difficulty

Reading time

This is a guest post from the team at Techtonica.org. Techtonica partners with tech companies to provide free tech training, living stipends, and job placement to women and non-binary adults in need in the SF Bay Area.

After successfully catching a Denial of Service (DoS) bug in Facebook’s open-source Fizz, Semmle donated their $10,000 bug bounty to non-profit Techtonica. The donation was matched by Facebook according to their policy.

Techtonica is a San Francisco-based non-profit that trains women and non-binary identifying adults in full stack JavaScript development. The organization partners with tech companies like Indeed, SurveyMonkey, and Redfin to sponsor apprentices for six months of training and three months of job placement. Companies also undergo diversity and inclusion training as a part of the program.

techtonica apprentices

The donation highlights the shared goals of both Semmle and Techtonica in that both organizations hope to offer improved accessibility for underrepresented groups in tech, whether that’s providing the necessary training to get started or helping to improve code security for open source projects.

Semmle’s white hat efforts are a regular part of their research, in an effort to keep open source software as secure as possible. “Not all software projects have the necessary resources when it comes to cybersecurity,” said VP of Marketing, Ken Olofsen. “We strive to help as many open-source projects as possible by sharing our security knowledge, ensuring every project has the opportunity to deliver the highest level of security possible.”

Semmle Security researcher Kevin Backhouse found the DoS error in Fizz, Facebook’s open source transport layer security (TLS) protocol. The program is used in most of the social media giant’s internal and external infrastructure, usually for securing communications with web services. “The impact of the vulnerability is that an attacker can send a malicious message via TCP to any server that uses Fizz and trigger an infinite loop on that server,” Said Backhouse in a March post for Semmle.

Backhouse goes on to explain that since the message itself is barely 64KB, it is “extremely cheap for the attacker, but crippling for the server.” Given the rate at which a home computer with even a bad connection sends and receives data, it wouldn’t take a bot much time to “debilitate an entire datacentre.” Backhouse notes that Facebook created a patch rapidly once he had notified them of this bug.

Although Facebook does not usually award bug bounties for DoS errors, due to the seriousness of this instance, they made an exception. In the same spirit as their white hat efforts, Semmle chose to donate their reward to Techtonica.

By offering a bootcamp environment at no cost to apprentices, as well as free coding workshops regularly throughout the Bay, Techtonica hopes to address the growing disparity and displacement created by the booming tech industry. Most development bootcamps come with a hefty (and ever-growing) price tag, making them prohibitive for many Bay Area residents.

Instead, Techtonica provides a living stipend, a computer, and help with childcare as needed for each apprentice, which helps to empower women and non-binary people in their continuing technical education. Attendees of the free coding workshops learn more about the opportunities available to them within the tech industry in addition to basic coding skills—whether that’s something directly technical like becoming a developer or engineer, or a position considered tech adjacent that requires knowledge, but a different set of skills.

techtonica main

Semmle is excited and proud to support Techtonica since both of our organizations believe that we can achieve more if we share our collective knowledge and invest in helping the community as a whole.

Oege de Moor Semmle's CEO

Since the bug bounty was donated to Techtonica, Facebook matched the amount in an additional donation, bringing the total donated to $20,000. This amount will help Techtonica continue to offer free software engineering training, laptops, and living and childcare stipends to Bay Area women and non-binary adults with low incomes. A portion of the donation will go directly to cover the costs associated with hosting free coding workshops throughout the Bay Area at places like the San Francisco Public Library and the St. Anthony Foundation’s Tenderloin Tech Lab.

We are really grateful for Semmle’s generosity. A huge congratulations to them for discovering such a serious vulnerability.

Michelle Glauser Techtonica’s Founder & CEO

The timing of Semmle's donation couldn't be better—Techtonica's current cohort of apprentices is graduating this Wednesday before they begin placement with Techtonica's partner companies. One of this cohort's sponsors, Indeed, will be hiring four of the eleven apprentices for at least the next six months. Techtonica is currently seeking the last few sponsors for their next (larger!) cohort, which will start on July 8th with seventeen participants.

Join us in securing the software that runs the world!

Enter your email address below to stay up-to-date with Semmle news, security announcements and product updates.

Loading...