Facebook launches security bug bounty program

Facebook launches security bug bounty program

Summary: Facebook has launched a security bug bounty program that rewards security researchers for privately and responsibly informing the company of website vulnerabilities.


Facebook has launched a program for compensating security researchers that discover vulnerabilities in the website's code. To cash in, hackers must sign up at Facebook's new whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook's security team.

Facebook offers a base payment of $500 (one bounty per security bug) but says it is willing to pay more if the discovered flaw is a major one. The company says this new program is one of the ways it shows appreciation to the security researchers who help it keep the service safe and secure for everyone. It is allowing security researchers to create test accounts on Facebook in a way that doesn't violate the website's terms of use and doesn't impact other Facebook users.

In order to qualify for a bounty, Facebook says that hackers must:

  • Adhere to its Responsible Disclosure Policy by giving the company a reasonable time to respond to a report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service during research
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), and Remote Code Injection
  • Reside in a country not under any current US Sanctions (such as North Korea, Libya, Cuba, and so on)

Previously, Facebook has focused on simple recognition by putting the security researcher's name on its security page under a list of White Hats (at the time of writing, there were 42 individuals listed). The company also often sent them Facebook merchandise, and even offered jobs based on their disclosures or their security work elsewhere (infamous hacker Geohot was hired three months ago). Now the portal has been upgraded so that security researchers can sign up, log in, and report bugs.

That being said, there are some exceptions that Facebook lists right off the bat:

  • Security bugs in third-party applications
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Since Facebook has more than 750 million users, vulnerabilities can potentially affect a huge number of people. As a result, this security bug bounty program, while not new (Mozilla and Google offer one as well), help hackers make a positive impact on the website.

Topics: Social Enterprise, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook launches security bug bounty program

    Maybe they should change their name to FACEBUG.
    • RE: Facebook launches security bug bounty program

      @slater@... Or BugFace?
  • RE: Facebook launches security bug bounty program

    What is a successful hack into a company like Facebook worth?.....How does it compare to $500?
  • RE: Facebook launches security bug bounty program

    What Facebook is doing is trying to control the pubilicity surrounding thier failure to secure the Facebook system and customer's data. If all te bug reports go directly to them. They quietly fix the problem and no one is the wiser. A bug reported to Facebook directly through this program no doubt includes a non-disclosure agreement that they could use to sue into poverty anyone disclosing that they sounded the alarm about a security problem.
  • RE: Facebook launches security bug bounty program

    Si basically Facebook pays you $500 to keep your mouth shut while they work on the security bug you tell them. Of course, they will only pay you if you are the first one to tell them about the bug.

    This is like a contest scam that many companies are using. Some call it crowdsourcing. At the end is many people working for a shitty price that only one gets. A retarded scam for retarded people.
  • RE: Facebook launches security bug bounty program

    I really enjoyed reading this post !!!have bookmarked <a href="http://mlbshopgiants.com/">w</a><a href="http://best3dtvavailable.com/">e</a><a href="http://lampsplusstorelocator.com/">b</a><a href="http://discountperfumewebsites.com/">s</a> will come back to read more.