X
2011

Facebook Lures Hackers With $500 Bounty For Reporting Bugs

August 1, 2011 0

Los Angeles — In an attempt to protect its Face from being marred, social media networking colossus Facebook, over the weekend unleashed a program that will pay hackers who find bugs on its website–a bounty of US$500, far less than bug bounties offered by companies like Google or Microsoft.

Facebook revealed the news via its Facebook Security Page, that it is launching a security “bug bounty program”. Hackers are encouraged to inform about security bugs in apps, third-party websites that integrate with Facebook, and Facebook’s own corporate infrastructure. Other types of bugs, for example spam or “social engineering techniques”, are also on Facebook’s wanted list.

Initially, compensation will begin at $500 and, as yet no financial ceiling has been set. Besides, it will be paid only to researchers who follow Facebook’s Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.

“To express our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs,” Facebook wrote on a page entitled “Security Bug Bounty”.

“Typically, it is no longer than a day” to fix a bug, Facebook Chief Security Officer Joe Sullivan told Cnet in a conference call.

To become eligible for the bounty, users must adhere to Facebook’s Responsible Disclosure Policy, you must be the first to report the security glitch, reside in a country not under any current U.S. sanctions (such as North Korea, Libya, Cuba, etc.), and the bug must be native to Facebook (not in, say, Farmville).

Evidently, you must be the first person to report a specific bug; no bounties for an error are given out twice.

“If you believe you have discovered a security vulnerability on Facebook, we encourage you to let us know right away,” the company says. “We will investigate all legitimate reports and do our best to quickly fix the problem.”

Particularly, Facebook is concerned about bugs that “jeopardizes the integrity or privacy of Facebook user data,” it said.

“Some of our best engineers have come to work here after pointing out security bugs on our site,” like Ryan McGeehan, manager of Facebook’s security response team, said Alex Rice, product security lead at Facebook. (Facebook, like Microsoft and Google, has been known to hire grey hat hackers in the past; most recently it scooped up famed Playstation 3 hacker George “Geohot” Hotz.)

Nevertheless, the social media giant is not alone in recruiting hackers to their side. Google and Mozilla have each launched a similar bounty program to considerable success, according to Computer World.