Facebook announced today plans to expand its bug bounty program and accept reports about third-party apps that access and misuse Instagram user data.
Today's announcement is an expansion of Facebook's Data Abuse Bounty program to include reports about Instagram apps, in addition to the reports the company was accepting about Facebook data misuse.
Facebook launched the Data Abuse Bounty program in April 2018, after the Cambridge Analytica scandal, during which Cambridge Analytica employees abused Facebook's platform to harvest data about Facebook users, in violation of Facebook's developer policies.
Through the Data Abuse Bounty program, Facebook offered to pay monetary rewards to security researchers who hunted similar cases of Facebook apps illegally harvesting or misusing Facebook user data.
Starting today, the same offer is also valid for Instagram apps, and security researchers are free to poke around Instagram third-party apps and see if they're collecting more data than they are disclosing, or for which they have not obtained consent.
If they find such cases, they can file a report with Facebook's security team, which will investigate each case, and pay out a bounty if the report is both valid and well-written. Per the program's existing rules, rewards can go up to $40,000 per report.
Historically, the program has been quite successful in tackling app abuse on the Facebook platform. For example, last February, Nightwatch Security found that a third-party Android application with Facebook API access was copying and storing data outside of the social network in an insecure manner.
Instagram's Cambridge Analytica moment
Facebook's decision to include Instagram apps in its Data Abuse Bounty program comes after the company banned Instagram advertising partner Hyp3r at the start of the month.
A Business Insider investigation found that Hyp3r secretly harvested and stored millions of Instagram users' stories, locations, biographies, images, and interests in order to build up detailed profiles, a practice against Instagram's rules.
"Putting people first is one of Instagram's most important values, and keeping our service secure is an essential part of the work we do to serve our community," Nam Nguyen, Instagram Head of Engineering, told ZDNet.
"Expanding and building on the Facebook bug bounty program is a key development in our ongoing security efforts, and we are grateful to the wider security community for all they do to help keep our platforms safe," Nguyen added.
Facebook has been recently trying to fix all the problems with external developers abusing its platforms and features. Earlier this month, the social network sued LionMobi and JediMobi, two Android app developers, for ad fraud perpetrated against Facebook's Audience Network advertising platform.
Invite-only bug bounty program for Instagram Checkout
In addition to extending the Data Abuse Bounty program to Instagram, Facebook also announced a second bug bounty program targeting another Instagram feature.
The social network said it plans to run an invite-only bug bounty program with selected security researchers who will be tasked in finding bugs in Checkout, an Instagram feature announced in March that allows users to purchase products directly on Instagram without leaving the app.
"The researchers who are helping us test this feature have previously submitted high-quality research to our bug bounty program," Facebook said.
"As part of their participation, the researchers will receive early access to the feature and receive bounty awards for eligible reports."
Related cybersecurity coverage:
- Apple files lawsuit against Corellium for flogging virtual iOS copies for security tests
- Microsoft: We're disabling VBScript in Windows 7, 8 to block attackers
- Microsoft names top security researchers, zero-day contributors
- Researchers find security flaws in 40 kernel drivers from 20 vendors
- Google wants to reduce lifespan for HTTPS certificates to one year
- Degrading Tor network performance only costs a few thousand dollars per month
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET