Facebook Offers A Bug Bounty

Facebook Offers A Bug Bounty

Facebook is about to get a little safer with the social networking site’s announcement that it will offer a bounty to independent researchers for any bugs they uncover, to the tune of $500 a pop (or potentially more, if you bag an especially prized bug).

To receive a bounty, you have to agree to certain terms and meet specific criteria. For starters, you have to assent to the Reasonable Disclosure Policy, which states that:

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Fair enough. Further, you have to be the first to report a given bug, and the flaw you report must be one that affects private user data. Facebook’s Security Bug Bounty page gives cross-site scripting, cross-site request forgery, and remote code injection as specific examples of bounty-worthy fare.

The Information For Security Researchers page promises to investigate any legitimate reports.

Unfortunately for many Facebook users, there will be no bounty for flaws exposed in the legions of third-party Facebook applications, nor any Websites that simply link to Facebook. Thus, your finger must still waver hesitantly over the mouse button every time you’re about to grant a third-party access to your account.

And of course, social engineering scams will still proliferate unabated, so users must remain vigilant on that front. (Eg., If your dear old aunt posts some video that promises nudity or something especially gross, she’s been hacked. Do her a favor and tell her to change her password.)
0
+ -

This is pretty awesome of facebook to put up a policy such as this. It would be nice if other companies follow suit.

0
+ -

$500 seems pretty low for such a large site. As far as I know it doesn't take a few minutes to find one and then taking into account that you might spend hours on end finding nothing.

0
+ -

Schmich:

$500 seems pretty low for such a large site. As far as I know it doesn't take a few minutes to find one and then taking into account that you might spend hours on end finding nothing.

"True, How much did GeoHotz get?"

-Optimus

 

0
+ -

Give up on fame? and for $500? i think not! lol :P Its a choice of giving yourself a name or earn $500...

I like the idea but is the bounty high enough to stop hackers? That is the point they are trying to get at anyways right? :D

0
+ -

.

Login or Register to Comment
Post a Comment
Username:   Password: