Facebook’s ‘Bug Bounty Programme’: $40 000 spent so far

Earlier this month Facebook launched a programme called the Bug Bounty Program, which encourages security experts to help strengthen the social network against attacks.

In a recent blog post Facebook’s chief security officer, Joe Sullivan, revealed some information about the early days of the Bug Bounty Programme.

“The programme has already paid out more than US$40 000 in only three weeks and one person has already received more than US$7 000 for six different issues flagged. It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring,” says Sullivan.

Facebook encourages security researchers to reveal security bugs responsibly. “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” says the social network.

In order to qualify for a bounty researchers must adhere to the following terms:

• Follow Facebook’s Responsible Disclosure Policy
• Be the first person to responsibly disclose the bug
• Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF/XSRF)
• Remote Code Injection
• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

According to Sullivan Facebook pays out a minimum amount of US$500 for reporting a bug going up to a maximum of US$5000 for the most serious security problems. The maximum bounty has already been paid once for what Sullivan calls a “really good report”.

Graham Cluley, senior technology consultant at Sophos, told the BBC that many other technology companies such as Google and Mozilla have similar schemes that have proved useful in rooting out bugs.

However, Cluley adds that the Bug Bounty scheme might be missing the biggest source of security problems on Facebook.

“They’re specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like,” he said. “It’s those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people.”

“Facebook claims there are over one million developers on the Facebook platform, so it’s hardly surprising that the service is riddled with rogue apps and viral scams,” he said.