$500 USD Facebook Security Bug Bounty Program Launched

To show appreciation to security researchers, Facebook has launched a monetary bounty for certain qualifying security bugs. The compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the […]

To show appreciation to security researchers, Facebook has launched a monetary bounty for certain qualifying security bugs. The compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.

"Typically, it's no longer than a day" to fix a bug, Facebook Chief Security Officer Joe Sullivan told CNET in a conference call. Under the previous system users were given recognition on the Whitehat page and potentially a job, though the chances of this were slim unless they consistently found fault and helped to fix it.

"If you're a security researcher, please review our responsible disclosure policy before reporting any vulnerabilities. If you're not a security researcher, visit the Facebook Security Page for assistance. If you believe you've found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem," said Facebook page.

Facebook has also rewarded those who have adhered to their policy by posting their name on the Whitehat page. The page has the following to say:

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Here's how it works:

Eligibility

To qualify for a bounty, you must:

  • Adhere to our Responsible Disclosure Policy: ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Remote Code Injection
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if qualifies. Rewards
  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded
Exclusions: The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

More Info: Facebook Bounty