A month ago, Facebook announced its “Bug Bounty” Program, in which the company began offering users $500 for finding security holes.
“The program is already making Facebook more secure,” a representative for Facebook tells WebProNews. “During the past three weeks, Facebook has paid more than $40,000 to security experts around the world. One person has received more than $7,000 for 6 different issues flagged.”
Facebook points to something the Electronic Frontier Foundation when discussing the program: Well-meaning Internet users are often afraid to tell companies about security flaws they’ve found — they don’t know whether they’ll get…slapped with a lawsuit or even criminal prosecution.”
“We worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information,” Joe Sullivan, Facebook’s chief security officer notes in response to this line of thinking. “We are one of the first companies to clearly lay out our policy in order to make those who discover vulnerabilities more comfortable in reporting, and we are happy to see that other organizations are adopting a similar stance. A few weeks ago, we took that program to the next level–we started paying rewards to those who report bugs to us.”
“Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program,” says Sullivan. “Perhaps because of this, there have been several inaccurate reports about how the program works. For example, some stories said that the maximum payment would be $500, when in fact that is the minimum amount we will pay. In fact, we’ve already paid a $5,000 bounty for one really good report. On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity.”
Don’t look for the program to be expanded to Facebook Platform, as the company has deemed this impractical, due to the “hundreds of thousands of independent Internet services implicated”.