Facebook has launched a program for compensating security researchers that discover vulnerabilities in the website's code. To cash in, hackers must sign up at Facebook's new whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook's security team.
In order to qualify for a bounty, Facebook says that hackers must:
- Adhere to its Responsible Disclosure Policy by giving the company a reasonable time to respond to a report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service during research
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity or privacy of Facebook user data, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), and Remote Code Injection
- Reside in a country not under any current US Sanctions (such as North Korea, Libya, Cuba, and so on)
Previously, Facebook has focused on simple recognition by putting the security researcher's name on its security page under a list of White Hats (at the time of writing, there were 42 individuals listed). The company also often sent them Facebook merchandise, and even offered jobs based on their disclosures or their security work elsewhere (infamous hacker Geohot was hired three months ago). Now the portal has been upgraded so that security researchers can sign up, log in, and report bugs.
That being said, there are some exceptions that Facebook lists right off the bat:
- Security bugs in third-party applications
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook's corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
Since Facebook has more than 750 million users, vulnerabilities can potentially affect a huge number of people. As a result, this security bug bounty program, while not new (Mozilla and Google offer one as well), help hackers make a positive impact on the website.