30 Jul 2011

Facebook today is launching a "bug bounty" program, Rewards starting at $500 or more

Facebook today is launching a "bug bounty" program where it will pay researchers who find bugs and vulnerabilities in Facebook and report it to the company to be fixed. Developers who find bugs and report them to Facebook through its "Responsible Disclosure Policy" will be rewarded starting $500 or more, with no cap on how big a bounty developers can harvest.
Facebook follows in the footsteps of Google and Mozilla that also have bug bounty programs. Mozilla offers up to $3,000 for bugs found within its open-source software such as Firefox and Google offers between $500 and $1,337 (a number associated with geek lexicon " leet speak" created in the 1980s).

One of the reasons that Facebook became the dominant social network in the Web. 2.0 movement is that it has fostered a developer community that has aggressively built on top of the platform. As such, the bug bounty program is a natural extension of that community.
To qualify for the bounty, developers must adhere to the Responsible Disclosure Policy and find a bug that "could compromise the integrity or privacy of Facebook user data." That includes cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF) or remote code injection or any other such known hacking methods or vulnerabilities.
Only one bounty will be awarded per specific bug, starting at $500 with the ability to increase based on the type of bug. Bugs in third-party applictions, websites, corporate infrastructure are not eligible nor are denial of service vulnerabilities or social engineering (phishing) or spam techniques. Essentially, they have to be bugs in the Facebook platform itself and not part of some type of extension, app or add-on.
Here is the Responsible Disclosure Policy from the new White Hat information page for security researchers:
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Filled Under:


Post a Comment