Remember Google’s Chrome Bug Bountyprogram? Well, when Google released Google Chrome 12, it announced on its blog that it rewarded developers/researchers who found vulnerabilities (bugs) in its code. Earlier in August 2010, it was reported that Google gave away a total estimate of $10k of rewards. Mozilla too has the bug bounty program which pays $3,000 in hard cash plus a free Mozilla T-shirt for finding bugs!
Facebook has joined Google and Mozilla, and is following the “Bug Bounty” program, by rewarding its security researchers. However, the reward offered is way too less. For security related bugs – cross site scripting flaws, for example – the company will pay a base rate of $500, but if they’re highly significant flaws, Facebook has promised to pay more. However, the company executives haven’t revealed the bonus reward.
“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs,” Facebook stated on its portal.
Facebook launched a new Whitehat hacking portal where researchers can sign up for the program and report bugs. They have also published a list of about 42 researchers who have made responsible disclosuresin the past.
With over 750 million active users, looks like Facebook is highly concerned about its security issues. Facebook hired a computer hacker who was recently sued by Sony for hacking the online gaming system PlayStation 3, last month.
If a bug has been discovered, the researchers are asked to provide as much information as possible. In order to receive the award, a detailed explanation of steps is required and all legitimate reports will be investigated.
Here’s the company’s policy –
“If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”
In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.
Facebook’s Bug Bounty Eligibility Rules
In order to be eligible for the reward, researchers must follow to Facebook’s Responsible Disclosure Policy.
- You must be the first person to responsibly disclose the bug.
- Give Facebook a reasonable time to respond to your report before making any information public.
- You must live in a country not under any current U.S. Sanctions.
- You agree to report issues that may compromise a user’s information including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code injection.
- Only one payment per bug will be awarded.
- Bugs in third-party applications, third-party websites that integrate with Facebook, Denial of Service Vulnerabilities or Spam or Social Engineering techniques will not be eligible.
Google, Mozilla and Facebook are not the only ones who reward its security researchers. Microsoft does it too. Microsoft, on the other hand, offers a big reward of US$250,000 to anyone who provides information on a virus culprit who masquerades in the Windows theme.