As it struggles to cope with a surge in malicious hacker attacks against its massive user base, Facebook has joined a growing list of companies offering cash to hackers who responsibly report security vulnerabilities found on its web site.
With the new Security Bug Bounty program, Facebook plans to shell out $500 for security bugs "that could compromise the integrity or privacy of Facebook user data."
The following types of vulnerabilities could qualify for the bounty:
- Cross-Site Request Forgery (CSRF/XSRF)
- Cross-Site Scripting (XSS)
- Remote Code Injection
News of Facebook's bug bounty program comes amidst reports that a CSRF vulnerability is being actively exploited to trick users of the social network into spreading a survey scam via a series of social engineering tricks.
Facebook users are inundated with malicious attacks that exploit clickjacking/likejacking, cross-site scripting, CSRF and other Web-app vulnerabilities and the company hopes the new bug bounty program will help improve the quality of its code.
To qualify for a Facebook cash reward, security researches must adhere to the company's Responsible Disclosure Policy and agree to give Facebook "reasonable time to respond" before making any information public. Researchers must also make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service.
Although a typical bounty is set at $500, Facebook says it may increase the reward for specific, high-impact vulnerabilities.
The following bugs aren't eligible for a bounty:
Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
Security bugs in third-party websites that integrate with Facebook
Security bugs in Facebook's corporate infrastructure
Denial of Service Vulnerabilities
Spam or Social Engineering techniques
Mozilla, Google and Barracuda Networks are among companies offering cash rewards for security holes in software products and Web sites.