Facebook has added a bounty system to its white hat program today that rewards security researchers for privately and responsibly informing the company of site vulnerabilities. Researchers can make $500 or more for disclosing bugs that could endanger users, such as cross-site scripting (XSS), or remote code injection.
Facebook had previously allowed researchers to submit bugs, but the addition of a monetary reward announced today on the Facebook Security Page should encourage participation in the program and help the site close gaps in security before they’re exploited.
The white hat program was first launched in December 2010, protecting researchers that happened to break its terms of service in the process of responsibly discovering and reporting vulnerabilities. Previously, their accounts were in jeopardy if they submitted research that require TOS violations, discouraging participation in the program.
Researchers must still “make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service”, and “give us a reasonable time to respond to your report before making any information public.” Data mining or scraping, and using fake accounts to perform security research leading to a disclosure is likely admissible.
Eligible bugs include those found on Facebook.com, Facebook mobile apps, and the Platform APIs. To claim the bounty, researchers must be the first to responsibly report a bug, reside in a country not under US sanction, and only one bounty will be awarded per bug. Reports of bugs in third-party apps or websites, Facebook’s corporate infrastructure, as well as spam, social engineering, and denial of service issues are not eligible for a bounty.
The site has made wide variety of other efforts to both technically improve security and educate users about how to protect themselves. It began allowing users to browse over a secure HTTPS connection in January, will require third-party apps to support HTTPS by October, and now shows security roadblocks when users click links suspected of XSS or clickjacking. Facebook has partnered with Web of Trust to identify suspicious links, and McAfee to offer users discounted virus protection.
Facebook has been criticized in the past when security researchers publicly announced vulnerabilities rather than privately disclosing them. The new bounty system might convince them to use the white hat program instead, allowing Facebook to improve security without taking a public relations hit.