Discussion

If You Can’t Beat ’em, Join ’em – Facebook Reward Hackers

Facebook are among the latest in a string of software and technology companies to offer money to hackers in exchange for pointing out their own shortcomings in terms of security and bugs. However, the $500 bounty for reporting bugs on the website is far less than the remuneration offered by the likes of Google and Microsoft.

Making the announcement about the “bug bounty programme” via its Facebook Security Page, the social networking giant is encouraging hackers to inform the company about security bugs in apps, third-party websites that integrate with Facebook, and Facebook’s own corporate infrastructure. The ‘wanted list’ also includes spam, and ‘social engineering techniques’.

“To express our appreciation for our security researchers, we offer a monetary bounty
for certain qualifying security bugs,” Facebook wrote on a page entitled
‘Security Bug Bounty’. According to Facebook Chief Security Officer Joe Sullivan, finding, qualifying and reporting these bugs can take as little as a single day.

$500 for a day’s work? Not a bad rate if you ask me. Obviously there are certain hoops to jump through in order to be eligible for the bounty, so users must adhere to Facebook’s Responsible Disclosure Policy, you must also be the first person to have reported the security glitch, and you cannot reside n a county currently subject to US sanctions, such as North Korea, Libya, Cuba etc. The bugs must also be native to Facebook – not in Farmville for example.

By way of further incentive for the hackers to be helpful in this situation, a job-shaped carrot is being dangled by Facebook: “Some of our best engineers have come to work here after pointing out security bugs on our site,” like Ryan McGeehan, manager of Facebook’s
security response team, said Alex Rice, product security lead at Facebook.

If you have a particular talent, it’s much better if it is put to good use, and it is warming to see the big companies encouraging this.