Interview with John "Four" Flynn of Facebook

The Wednesday evening reception at USENIX Security '14 kicked off with an exciting announcement: the awarding of the inaugural Internet Defense Prize, sponsored by Facebook! The $50,000 prize recognizes superior quality research that combines a working prototype with significant contributions to the security of the Internet--particularly in the areas of prevention and defense. The award amount is to be used by the winning author(s) to take the prototype referenced in their research paper to the next level for something practical, accessible, and impactful.

Earlier today, I conducted a short Q & A with John “Four” Flynn, Security Engineering Manager, who served as the Facebook representative on the Award Committee.

JBM: Tell me more about this prize. How did it come into existence, and why?
JFF: Facebook has a long tradition of rewarding security research, primarily through our bug bounty program where we’ve awarded over $3M to researchers who reported bugs in our software. We also contribute security tools to the open source community and fund efforts like the Internet Bug Bounty that offer money to people who improve core web technology. We decided we wanted to aim for bigger impact, so we looked at where there were opportunities to do more work that protects people. Offensive security work and theoretical research get lots of time in the spotlight, but defense work that focuses on protection often doesn’t receive the same amount of attention. With the Internet Defense Prize, we want to help those who are doing defensive work take their research to the next level and create real impact.

JBM: How did you choose the winning paper, and why was this one chosen?
JFF: It was great to see so many good research papers right from the start. We ended up selecting a paper called “Static Detection of Second-Order Vulnerabilities in Web Applications” which was written by Johannes Dahse and Thorsten Holz of Ruhr-Universität Bochum in Germany. In addition to their impressive results, the committee responded well to their implementation approach. The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology.

JBM: What are Facebook’s goals for this prize in the short- and long-term?
JFF: We want to invite researchers to submit their work for consideration to be a future recipient of the Internet Defense Prize. Ultimately, we want to see more security research that focuses on defense and that makes it from the academic world into the hands of the community. There’s no reason why the best minds from the research community can’t deliver technology that will significantly improve the overall security of the web.

JBM: How can someone learn more about this prize (or others) from Facebook?
JFF: We’re putting together more details about the timing and the specifics about future awards from the Internet Defense Prize. Those will be available from Facebook and USENIX at a later date. In the meantime, people can submit questions or feedback to