January 3, 2012 0

The social networking giant, Facebook, is back with its bounty rewards for security researchers, who can help the site flush out the problems and to make the site much safer to use. Facebook has used this trick earlier and it was a huge hit. So, the company has resolved to the same strategy to avoid privacy issues. This time, however, Facebook is not giving out hard cash. Instead, the researchers would get a Visa debit card.

The social networking site has come up with the idea of giving out a customized “White Hat Bug Bounty Program” Visa debit card to security researchers, so that they can use it to make purchases, just like a credit card, or can create a PIN and take money out of an ATM. The deposit in their account would be as and when a bug is reported by the researcher, Facebook would accordingly add more money into their account.

Ryan McGeehan, manager of Facebook’s security response team, briefed CNET about the program as, “Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them.” He continued noting, “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.’ We might make it a pass to get into a party. We’re trying to be creative.”

McGeehan did not forget to make a note of the additional benefits a researcher/ hacker would get with this unique debit card. For instance, he noted, “We might make it a pass to get into a party,” while he added, “We’re trying to be creative.”

The procedure for hackers/researchers is simple as they have to sign up at Facebook’s whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat. The reporting for the same should be directly to Facebook’s security team.

This is not all. The attempters need to even respect Facebook’s Responsible Disclosure Policy, which reads as follows:

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Facebook’s recent bounty program is completely different from what it offered last time. Again, none of the other companies have paid out bug bounties in this fashion or similar. It has always been on the hard cash basis.

For the payout, Facebook confirmed that the minimum a researcher can make for reporting a proper Facebook bug is $500, but there is no maximum limit to the same. With the last year’s experience, it can be known that the biggest payment for one bug report ($5,000) has been made several times.

McGeehan even noted, “Whenever possible we’re going to try to load-in White Hat researchers into products early–as soon as (they are) in production.” With this optimistic move, Facebook “will get an early warning on anything they find.”

For the noting of the writing, it was noted that Facebook had received help from 84 different researchers.