Facebook White Hat Program Now Offers Bounty for Disclosing Security Bugs

Facebook has added a bounty system to its white hat program today that rewards security researchers for privately and responsibly informing the company of site vulnerabilities. Researchers can make $500 or more for disclosing bugs that could endanger users, such as cross-site scripting (XSS), or remote code injection.

Facebook had previously allowed researchers to submit bugs, but the addition of a monetary reward announced today on the Facebook Security Page should encourage participation in the program and help the site close gaps in security before they’re exploited.

The white hat program was first launched in December 2010, protecting researchers that happened to break its terms of service in the process of responsibly discovering and reporting vulnerabilities. Previously, their accounts were in jeopardy if they submitted research that require TOS violations, discouraging participation in the program.

Researchers must still “make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service”, and “give us a reasonable time to respond to your report before making any information public.” Data mining or scraping, and using fake accounts to perform security research leading to a disclosure is likely admissible.

Eligible bugs include those found on Facebook.com, Facebook mobile apps, and the Platform APIs. To claim the bounty, researchers must be the first to responsibly report a bug, reside in a country not under US sanction, and only one bounty will be awarded per bug. Reports of bugs in third-party apps or websites, Facebook’s corporate infrastructure, as well as spam, social engineering, and denial of service issues are not eligible for a bounty.

The site has made wide variety of other efforts to both technically improve security and educate users about how to protect themselves. It began allowing users to browse over a secure HTTPS connection in January, will require third-party apps to support HTTPS by October, and now shows security roadblocks when users click links suspected of XSS or clickjacking. Facebook has partnered with Web of Trust to identify suspicious links, and McAfee to offer users discounted virus protection.

Facebook has been criticized in the past when security researchers publicly announced vulnerabilities rather than privately disclosing them. The new bounty system might convince them to use the white hat program instead, allowing Facebook to improve security without taking a public relations hit.

Facebook Marketing

Mediabistro Event

Facebook Marketing

Starting January 13, work with the group marketing manager of social media at Microsoft/BingAds to grow your business on Facebook! In this course, you’ll learn how to set up your company page, understand Facebook best practices, and execute a monthly content strategy. Register now!


Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Assistant Editor

8 Inc.
New York, NY

Copywriter & Editor

Santa Monica, CA

Director of Marketing & Communications

Neumans' Kitchen
New York, NY

Social Community Manager

Tallahassee, FL

Editorial Director

Phoenix House
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us