With the new Security Bug Bounty program, Facebook plans to shell out $500 for security bugs "that could compromise the integrity or privacy of Facebook user data."
The following types of vulnerabilities could qualify for the bounty:
- Cross-Site Request Forgery (CSRF/XSRF)
- Cross-Site Scripting (XSS)
- Remote Code Injection
[ SEE: Facebook offers peek at incoming malware attacks ]
Facebook users are inundated with malicious attacks that exploit clickjacking/likejacking, cross-site scripting, CSRF and other Web-app vulnerabilities and the company hopes the new bug bounty program will help improve the quality of its code.
To qualify for a Facebook cash reward, security researches must adhere to the company's Responsible Disclosure Policy and agree to give Facebook "reasonable time to respond" before making any information public. Researchers must also make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service.
Although a typical bounty is set at $500, Facebook says it may increase the reward for specific, high-impact vulnerabilities.
The following bugs aren't eligible for a bounty:
- Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook's corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
Mozilla, Google and Barracuda Networks are among companies offering cash rewards for security holes in software products and Web sites.