Friending Facebook

Emil Protalinski
Home / News & Blogs / Friending Facebook

Facebook launches security bug bounty program

By | August 1, 2011, 8:01am PDT

Summary: Facebook has launched a security bug bounty program that rewards security researchers for privately and responsibly informing the company of website vulnerabilities.

Facebook has launched a program for compensating security researchers that discover vulnerabilities in the website’s code. To cash in, hackers must sign up at Facebook’s new whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook’s security team.

Facebook offers a base payment of $500 (one bounty per security bug) but says it is willing to pay more if the discovered flaw is a major one. The company says this new program is one of the ways it shows appreciation to the security researchers who help it keep the service safe and secure for everyone. It is allowing security researchers to create test accounts on Facebook in a way that doesn’t violate the website’s terms of use and doesn’t impact other Facebook users.

In order to qualify for a bounty, Facebook says that hackers must:

  • Adhere to its Responsible Disclosure Policy by giving the company a reasonable time to respond to a report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service during research
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), and Remote Code Injection
  • Reside in a country not under any current US Sanctions (such as North Korea, Libya, Cuba, and so on)

Previously, Facebook has focused on simple recognition by putting the security researcher’s name on its security page under a list of White Hats (at the time of writing, there were 42 individuals listed). The company also often sent them Facebook merchandise, and even offered jobs based on their disclosures or their security work elsewhere (infamous hacker Geohot was hired three months ago). Now the portal has been upgraded so that security researchers can sign up, log in, and report bugs.

That being said, there are some exceptions that Facebook lists right off the bat:

  • Security bugs in third-party applications
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook’s corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Since Facebook has more than 750 million users, vulnerabilities can potentially affect a huge number of people. As a result, this security bug bounty program, while not new (Mozilla and Google offer one as well), help hackers make a positive impact on the website.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Friending Facebook”

Topics

Facebook, Researcher, Security Bug, Social Media, Security, Emil Protalinski

Emil Protalinski has covered the tech industry for five years for multiple publications.

Disclosure

Emil Protalinski

Emil has nothing to disclose.

Biography

Emil Protalinski

Emil Protalinski has covered the tech industry for five years for multiple publications, including Neowin for two years and Ars Technica for three years. He has written 1,000s of articles for both, with a particular focus on scrutinizing Microsoft products and services. Recently, Emil has expanded his coverage to non-Microsoft technologies, including the social networking giant Facebook.

14
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Facebook launches security bug bounty program
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
RE: Facebook launches security bug bounty program
slater@... 1st Aug
Maybe they should change their name to FACEBUG.
0 Votes
+ -
RE: Facebook launches security bug bounty program
diya404 1st Aug
@slater@... Or BugFace?
0 Votes
+ -
RE: Facebook launches security bug bounty program
JimmyBlue 1st Aug
What is a successful hack into a company like Facebook worth?.....How does it compare to $500?
0 Votes
+ -
RE: Facebook launches security bug bounty program
tulsatech 1st Aug
What Facebook is doing is trying to control the pubilicity surrounding thier failure to secure the Facebook system and customer's data. If all te bug reports go directly to them. They quietly fix the problem and no one is the wiser. A bug reported to Facebook directly through this program no doubt includes a non-disclosure agreement that they could use to sue into poverty anyone disclosing that they sounded the alarm about a security problem.
0 Votes
+ -
RE: Facebook launches security bug bounty program
rxantos 2nd Aug
Si basically Facebook pays you $500 to keep your mouth shut while they work on the security bug you tell them. Of course, they will only pay you if you are the first one to tell them about the bug.

This is like a contest scam that many companies are using. Some call it crowdsourcing. At the end is many people working for a ****** price that only one gets. A retarded scam for retarded people.
0 Votes
+ -
RE: Facebook launches security bug bounty program
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: Facebook launches security bug bounty program
MARAGARET 11th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: Facebook launches security bug bounty program
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: Facebook launches security bug bounty program
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: Facebook launches security bug bounty program
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: Facebook launches security bug bounty program
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite
0 Votes
+ -
RE: Facebook launches security bug bounty program
JOYCEwe 26th Sep
I really enjoyed reading this post !!!have bookmarked w e b s will come back to read more.
0 Votes
+ -
RE: Facebook launches security bug bounty program
RICHMONFT 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: Facebook launches security bug bounty program
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix