Facebook's Bug Bounty Program: Paying Hackers to Find Security Threats
For decades, hackers have been seen as the enemy. Hackers have been known to steal identities, corrupt computers and break online systems. However, this has changed recently with a new program which pays hackers to find security threats in the Facebook platform, dubbed the Bug Bounty Program.
What is Facebook's Bug Bounty Program?
The Facebook platform is a complex culmination of years of programming and design which makes it incredibly difficult to spot all of the “holes” in the system. Facebook has a dedicated team specifically focused on finding bugs within their system. But the recent Bug Bounty Program takes this process a step further by using intelligent programmers to aid in finding these bugs, and other problems, within the platform.
For quite some time, programmers have been active in reporting bugs and issues in the Facebook platform. It was this recent addition of the Bug Bounty Program that rewarded efforts at the tune of $500 for each report.
Facebook, due to its sheer size and popularity, is constantly under malicious attack. Much of these problems are focused around bugs within the platform’s code. They give attackers access to valuable and sensitive information.
Outsourcing the reporting of bugs and issues within the Facebook platform has revealed many flaws which have slipped past the in-house team. Thousands of dollars have already been paid out to individuals submitting information to Facebook through the Bug Bounty Program. One individual has already received well over $7,000 for their efforts in bug reporting.
Unfortunately, the bounty program does not include third-party programs and websites, which happen to be the main concerns and problems with Facebook and its users. The in-house team that is dedicated to this area has its own process of quality control.
Facebook’s bug bounty program follows suit with other programs offered by Mozilla and Google in which there are bounty programs for bugs and issues in their software and programs. This has proved to be an effective way of securing the respected platforms.
Who is Eligible for Facebook’s Bug Bounty Program?
Qualifications for the bounty program on Facebook are users must be willing to agree to the Responsible Disclosure Policy. This prevents these users from releasing valuable security information to the general public to prevent malicious activity.
Users that are the earliest to submit and report a bug in the Facebook platform will be rewarded. They must not be from a country currently under United States sanctions such as Cuba or North Korea.
Bugs submitted to the bounty program must relate to the security, integrity or privacy of Facebook and Facebook users. General examples include cross-website scripts and scripting, cross-website request duping and forgery or remote program code insertion.
The security team will review the bug submission and determine if a user has passed the required process of submission and can be rewarded for their efforts. Anyone with the knowledge of programming may become active in finding Facebook bugs, but only the first report to be submitted about a specific bug will earn a reward. Reward for the bug bounty program may increase depending on the bug.
Finally, Facebook has also made an effort to give those involved with the bug bounty program a chance to create test accounts to avoid corrupting personal accounts. Information can be found upon the Facebook bug bounty page for further requirements and examples of bugs to report to the Facebook team. In time, many of these bugs will be found and Facebook will become a very stable platform, despite its sheer size and complexity of code.
What Submissions do not Count in Facebook’s Bug Bounty Program
Not every bug submission is eligible for reward. Non-qualifying bugs mainly relate to common problems and, as mentioned, third-party applications and websites. Here are a few of the exclusions from the bug bounty program:
- Bugs from third-party applications
- Bugs from third-party websites
- Bugs on Facebook’s corporate websites and infrastructure
- Denial of service attacks and vulnerabilities
- General spam or social engineering techniques
The listed items are generally handled by the in-house team at Facebook. They are too large and the bounty program would not be able to keep up with the pay-outs, although this may change in the near future as the platform continues to grow.