Hack an oculus headset, or a portal at pwn2own this year. Win cash, prizes, glory.

Sometimes we find bugs in code that isn't ours, now (following the p0 playbook) we have a pathway to disclose them zdnet.com/article/facebo…

Two improvements to the Facebook bug bounty: HackerPlus our loyalty program (facebook.com/BugBounty/post…) and Facebook Bug Description Language (FBDL, facebook.com/BugBounty/post…) a way to represent the repro of a bug for ease of understanding and increased payouts.

wired.com/story/facebook… A decade of facebook bug bounty. 130,000 reports, 6,900 valid, 11.7million paid out. An incredible team of folks lead this program now - it started in a basement and with us taking weekly trips to western union to send money orders to fulfill bounties.

For those attending PyCon US (it's too late to sign up!), check out the out the talk the_storm and I are giving on the myriad of APIs that can enable remote code execution in Python: us.pycon.org/2021/schedule/… These examples were originally compiled as a part of our work on Pysa.

Be well Dan Kaminsky, RIP One of the purest humans I've ever met. You embodied the best of [hacking, curiosity, fellowship]. The vista pentest summer was one of the best of my life. Even as you mercilessly crushed us at streetfighter2 literally one-handed x.com/dakami/status/…

Two folks on the Facebook product security team are presenting on our language-spanning security static analysis work. blackhat.com/us-21/briefing… We are always hiring, SEA, MPK, NYC, LON: facebook.com/careers/v2/job…

Open sourcing our 3rd and most recent homegrown static analysis, this time for mobile/java: engineering.fb.com/2021/09/29/sec…

I'll be presenting "Teaching an old dog new tricks: Reusing security tools in novel domains" at #Enigma2022 in Santa Clara, February 1–3, 2022. It provides case studies of how security tools like Pysa have been used in non-security applications at Facebook bit.ly/enigma2022

Outages won't stop facebook awarding money to good security work, here are this years 3 winners of the internet defense prize: usenix.org/blog/facebook-…

Infosec celebrated at a college football game, a first? Chris Valasek where is the cruise+pitt collab? :)

More info on hacking ar, vr, vc hardware via our bug bounty program tech.fb.com/announcing-bug…

Shift left in 60 seconds - libber.org/shift_left_in_… I've had success with shift left as a central strategy of infosec teams for the last n years and attempted a tl;dr of it without marketing fluff

Thoughts on how to maximize success as an infosec team that needs to roll out changes people may not like - collingreene.com/communicating_…

Compliance is different from security: collingreene.com/compliance.html

The differences between performing privacy and security work in a big company for my fellow computer security people. collingreene.com/security_and_p… I'm still newer to privacy work so this is my "most likely to be wrong" writeup, feedback welcome

An excellent writeup of what makes data "sensitive" and what that means for security and privacy strategicsec.substack.com/p/the-factors-…