Facebook Offers Bug Bounties

Facebook on Friday launched a programme offering to pay a bounty for certain carefully defined security bugs, following the lead of Google, HP, Mozilla and others.

The company said on Friday it would pay a typical bounty of $500 (£300) to the first person to responsibly disclose a flaw that “could compromise the integrity or privacy of Facebook user data”. It gave as examples bugs such as cross-site scripting flaws, cross-site request forgeries and remote code injection.

Bounty Bars Some Bug Reports

The bounty may be increased for higher-risk flaws, Facebook said. It was careful to say that certain types of flaws are specifically excluded from the scheme, such as bugs in third-party applications, bugs in third-party websites that integrate with Facebook, bugs in Facebooks’ corporate infrastructure, denial of service bugs and spam or social engineering techniques.

That means the programme won’t address the concerns raised by security firms such as Sophos, which has pointed out that the biggest privacy risks on Facebook typically come from sources such as social engineering or malicious applications.

Considering there are more than a million developers registered on the platform, it is “hardly surprising” that the site is “riddled” with rogue applications and viral scams, Sophos’ Cluley said in an open letter to Facebook in April.

Bugs can be disclosed via Facebook’s white hat hacking site.

Facebook said that in the past it has rewarded hackers for disclosing bugs by giving them name recognition or steering them toward job opportunities, but this marks the first time the company has paid white hat hackers.

The move follows companies such as Google, which in early 2010 launched a scheme paying between $500 and about $3,000 (£1,800) for bugs in its browser, web application or other properties. Google said it has given out $300,000 (£180,000) so far under the programme, including $90,000 (£55,000) this year, and is contacted 30 to 50 times per week by hackers wanting to disclose flaws.

Other programmes

Mozilla has operated a vulnerability reporting initiative for years. In order to qualify for theirs, the security bug must be present in the most recent supported, beta or release candidate versions of Firefox, Thunderbird, Firefox Mobile or in Mozilla services that could compromise users of those products. Valid, critical bugs can earn reporters up to $3,000.

Security firm Barracuda Networks last November launched a scheme offering payment of up to $3,100 (£1,900) for researchers who find vulnerabilities in its products.