Facebook White Hat Program Now Offers Bounty for Disclosing Security Bugs

Facebook has added a bounty system to its white hat program today that rewards security researchers for privately and responsibly informing the company of site vulnerabilities. Researchers can make $500 or more for disclosing bugs that could endanger users, such as cross-site scripting (XSS), or remote code injection.

Facebook had previously allowed researchers to submit bugs, but the addition of a monetary reward announced today on the Facebook Security Page should encourage participation in the program and help the site close gaps in security before they’re exploited.

The white hat program was first launched in December 2010, protecting researchers that happened to break its terms of service in the process of responsibly discovering and reporting vulnerabilities. Previously, their accounts were in jeopardy if they submitted research that require TOS violations, discouraging participation in the program.

Researchers must still “make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service”, and “give us a reasonable time to respond to your report before making any information public.” Data mining or scraping, and using fake accounts to perform security research leading to a disclosure is likely admissible.

Eligible bugs include those found on Facebook.com, Facebook mobile apps, and the Platform APIs. To claim the bounty, researchers must be the first to responsibly report a bug, reside in a country not under US sanction, and only one bounty will be awarded per bug. Reports of bugs in third-party apps or websites, Facebook’s corporate infrastructure, as well as spam, social engineering, and denial of service issues are not eligible for a bounty.

The site has made wide variety of other efforts to both technically improve security and educate users about how to protect themselves. It began allowing users to browse over a secure HTTPS connection in January, will require third-party apps to support HTTPS by October, and now shows security roadblocks when users click links suspected of XSS or clickjacking. Facebook has partnered with Web of Trust to identify suspicious links, and McAfee to offer users discounted virus protection.

Facebook has been criticized in the past when security researchers publicly announced vulnerabilities rather than privately disclosing them. The new bounty system might convince them to use the white hat program instead, allowing Facebook to improve security without taking a public relations hit.

Social Media 101

Mediabistro Course

Social Media 101

Get hands-on social media training for beginners! Starting November 10, hear from our expert speakers on the  best practices for getting set up on the major social media platforms, how to create meaningful content, and engage with your audience across sites. Register now!

 

Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Social Media Manager

Joe Fresh
New York, NY

Weekend Editor and Social Media Manager

Cinema Blend LLC
Telecommute, OR

Social Media Manager

The Culinary Institute of America
Poughkeepsie, NY

Web and Social Media Manager

Health Resources in Action, Inc.
Boston, MA

Online Social Media Manager

WellPoint
Chicago, IL

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us