Facebook announced today via its Facebook Security Page, that it is launching a security "bug bounty program". The program will see the company paying users that disclose security bugs that have previously gone undiscovered.
"If you believe you've found a security vulnerability on Facebook, we encourage you to let us know right away," the company says. "We will investigate all legitimate reports and do our best to quickly fix the problem."
Just make sure you let Facebook know before you tell the world. That is if you don't want to be sued.
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," the company says.
Today we are launching a security bug bounty program; a program to pay for undiscovered security bugs that are responsibly disclosed to us. This is another way that we would like to show our appreciation to the security researchers who help us keep Facebook safe and secure for everyone. We’re launching a new whitehat portal with the full details of the program:
To qualify for a bounty, users must adhere to Facebook's Responsible Disclosure Policy, be the first to report the bug, reside in a country not under any current U.S. sanctions (such as North Korea, Libya, Cuba, etc.), and the bug must be one that would "compromise the integrity or privacy of Facebook user data."
Facebook specifically mentions cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF), and remote code injection.
Facebook will pay $500 for a "typical bounty," but may pay more for some bugs. Only one bounty per bug.
It will not pay for bugs in third-party apps, third-party sites that integrate with Facebook, Facebook's corporate infrastructure, DoS vulnerabilities, or spam/social engineering techniques.
Facebook was also kind enough to give a shout out to to about 45 people for responsibly reporting bugs.