Facebook launches bug bounty program
Researchers can make $500 or more for reporting security holes on Facebook.com.
Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.
Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.
"Typically, it's no longer than a day" to fix a bug, Facebook Chief Security Officer Joe Sullivan told CNET in a conference call.
Facebook's Whitehat page for security researchers says: "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.
"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook alsofamed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)
Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers awith payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for .
Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.
Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.