Facebook launches security bug bounty program

Facebook has launched a security bug bounty program that rewards security researchers for privately and responsibly informing the company of website vulnerabilities.

Facebook has launched a program for compensating security researchers that discover vulnerabilities in the website's code. To cash in, hackers must sign up at Facebook's new whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook's security team.

Facebook offers a base payment of $500 (one bounty per security bug) but says it is willing to pay more if the discovered flaw is a major one. The company says this new program is one of the ways it shows appreciation to the security researchers who help it keep the service safe and secure for everyone. It is allowing security researchers to create test accounts on Facebook in a way that doesn't violate the website's terms of use and doesn't impact other Facebook users.

In order to qualify for a bounty, Facebook says that hackers must:

  • Adhere to its Responsible Disclosure Policy by giving the company a reasonable time to respond to a report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service during research
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), and Remote Code Injection
  • Reside in a country not under any current US Sanctions (such as North Korea, Libya, Cuba, and so on)

Previously, Facebook has focused on simple recognition by putting the security researcher's name on its security page under a list of White Hats (at the time of writing, there were 42 individuals listed). The company also often sent them Facebook merchandise, and even offered jobs based on their disclosures or their security work elsewhere (infamous hacker Geohot was hired three months ago). Now the portal has been upgraded so that security researchers can sign up, log in, and report bugs.

That being said, there are some exceptions that Facebook lists right off the bat:

  • Security bugs in third-party applications
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Since Facebook has more than 750 million users, vulnerabilities can potentially affect a huge number of people. As a result, this security bug bounty program, while not new (Mozilla and Google offer one as well), help hackers make a positive impact on the website.