Facebook Launches Bug Bounty Program

Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:34:04


Facebook bountiesSocial networking giant Facebook has finally boarded the bug bounty bandwagon. The company announced late last week they’ll award $500 for each bug to those who share information about flaws that could compromise the site’s privacy. The news confirms rumors that began to bubble at a Hack in the Box security conference back in May.

Bugs included in the bounty span the likes of script errors and code injection but exclude third-party applications like Farmville and denial-of-service (DDoS) vulnerabilities.

Like most bounty programs, Facebook’s encourages security researchers adhere to their Responsible Disclosure Policy to give the company a “reasonable” amount of time to respond to bugs before they’re publicly disclosed.

Unlike most bounty programs however, Facebook’s reward is considerably smaller than their contemporaries. Mozilla currently offers $3,000 to those who find flaws in its Firefox browser and Thunderbird client while Google pays out $3,133.7 to researchers who find bugs in its Chromium browser.

Facebook mentioned they may increase their reward for certain bugs but a top dollar amount hasn’t been designated yet.

Despite adding two factor authentication in April, the Palo Alto, Calif. based company continues to garner its share of scrutiny on the security front as the site serves as a magnet for spam and clickjacking scams.