Facebook to offer bug bounty to hackers who find flaws in its systems

Several companies already reward 'white hat' hackers who responsibly report flaws in their web services, but Facebook is apparently going a step further with payments to those who find vulnerabilities in their internal systems
Written by David Meyer, Contributor

Facebook and Google have for some time offered bounties to hackers who find vulnerabilities in their public-facing systems, but now the social network has gone a step further by offering to reward hackers who find and report flaws in Facebook's corporate network.

According to a Bloomberg report on Thursday morning, the move will be announced at the DefCon hacking conference. "If there's a million-dollar bug, we will pay it out," Facebook security response chief Ryan McGeehan was quoted as saying.

The idea of a company paying so-called 'white hat' hackers to probe their sites and report flaws — rather than exploiting them — is rare, but far from new. Google and Facebook do it, as do Mozilla, HP and, as of last month, PayPal.

However, rewarding people for breaking into internal systems is an even riskier proposition. According to the Bloomberg piece, Facebook was moved to introduce the new bounty scheme after an external researcher informed the company of a flaw that meant outsiders could listen in to their internal conversations.

Facebook's bug bounty page says the company will pay a minimum of $500 for each responsible disclosure, as long as the bug could "compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook's infrastructure".

The only kinds of bugs that Facebook won't pay out for are those in third-party apps or websites, denial-of-service vulnerabilities, and spam or social engineering techniques, none of which Facebook has any control over.

Editorial standards