Facebook Offers A Bug Bounty
To receive a bounty, you have to agree to certain terms and meet specific criteria. For starters, you have to assent to the Reasonable Disclosure Policy, which states that:
Fair enough. Further, you have to be the first to report a given bug, and the flaw you report must be one that affects private user data. Facebook’s Security Bug Bounty page gives cross-site scripting, cross-site request forgery, and remote code injection as specific examples of bounty-worthy fare.If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
The Information For Security Researchers page promises to investigate any legitimate reports.
And of course, social engineering scams will still proliferate unabated, so users must remain vigilant on that front. (Eg., If your dear old aunt posts some video that promises nudity or something especially gross, she’s been hacked. Do her a favor and tell her to change her password.)