Facebook is giving security researchers a customized "White Hat Bug Bounty Program" Visa debit card. They can use it to make purchases, just like a credit card, or can create a PIN and take money out of an ATM. If the researchers find more bugs, Facebook can add more money into their account.
"Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, manager of Facebook's security response team, told CNET. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.' We might make it a pass to get into a party. We're trying to be creative."
Six months ago, Facebook launched a security bug bounty program, designed for compensating security researchers that discover vulnerabilities in the website's code. To cash in, hackers must sign up at Facebook's whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook's security team.
They must also respect Facebook's Responsible Disclosure Policy, which reads as follows:
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
This new Visa initiative points to Facebook wanting to do something different than other companies who pay bug bounties, including Google and Mozilla. After all, these security researchers are helping the social networking giant improve its software to keep hackers and malware out.
The minimum a researcher can make for reporting a proper Facebook bug is $500. There is no maximum. The biggest payment for one bug report ($5,000) has been made several times. At the time of writing, Facebook had received help from 84 different researchers.
- Three weeks later, Facebook has paid $40,000 in security bug bounties
- Facebook launches security bug bounty program
- Facebook announces two new security features, offers infographic
- Researcher shows how to Facebook friend anyone in 24 hours
- Facebook improves safety, security tools; experts not impressed
- Facebook CEO Mark Zuckerberg: spamming apps are lame