Facebook offering cash for security vulnerabilities

Summary:With a new Security Bug Bounty program, Facebook plans to shell out $500 for security bugs "that could compromise the integrity or privacy of Facebook user data."

As it struggles to cope with a surge in malicious hacker attacks against its massive user base, Facebook has joined a growing list of companies offering cash to hackers who responsibly report security vulnerabilities found on its web site.

With the new Security Bug Bounty program, Facebook plans to shell out $500 for security bugs "that could compromise the integrity or privacy of Facebook user data."

The following types of vulnerabilities could qualify for the bounty:

  • Cross-Site Request Forgery (CSRF/XSRF)
  • Cross-Site Scripting (XSS)
  • Remote Code Injection

follow Ryan Naraine on twitter
News of Facebook's bug bounty program comes amidst reports that a CSRF vulnerability is being actively exploited to trick users of the social network into spreading a survey scam via a series of social engineering tricks.

[ SEE: Facebook offers peek at incoming malware attacks ]

Facebook users are inundated with malicious attacks that exploit clickjacking/likejacking, cross-site scripting, CSRF and other Web-app vulnerabilities and the company hopes the new bug bounty program will help improve the quality of its code.

To qualify for a Facebook cash reward, security researches must adhere to the company's Responsible Disclosure Policy and agree to give Facebook "reasonable time to respond" before making any information public.  Researchers must also make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service.

Although a typical bounty is set at $500, Facebook says it may increase the reward for specific, high-impact vulnerabilities.

The following bugs aren't eligible for a bounty:

  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Mozilla, Google and Barracuda Networks are among companies offering cash rewards for security holes in software products and Web sites.

Topics: Security, Social Enterprise


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.