Facebook hands out White Hat debit cards to hackers

Better than a platinum card--the Bug Bounty debit card gives security researchers some clout.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This is the Visa debit card Facebook is giving to some security researchers for reporting bugs.
This is the Visa debit card Facebook is giving to some security researchers for reporting bugs. Facebook

A few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check. Some security researchers are getting a customized "White Hat Bug Bounty Program" Visa debit card.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to their accounts.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

"Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, manager of Facebook's security response team, told CNET in a recent interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'"

Besides holding cash value, the White Hat card may proffer other advantages. "We might make it a pass to get into a party," for instance, McGeehan said. "We're trying to be creative."

Facebook launched its bug bounty program in July, following in the steps of Mozilla and Google. The minimum a researcher can make for reporting a bug that is eventually confirmed is $500, and there is no maximum. Researchers have to follow Facebook's Responsible Disclosure Policy and not go public with the vulnerability information until the hole has been fixed.

The most Facebook has paid out for one bug report is $5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said.

Recently, "someone came to us with a bounty-worthy ticket and they said they didn't want the bounty," he said. Instead, the researcher wanted the money--$2,500--to go to a charity and for Facebook to match it. Facebook agreed, McGeehan said.

Brian Krebs, who first wrote about the White Hat Visa, reports that recipients have included Szymon Gruszecki of Poland and Neal Poole, a junior at Brown University who will be an intern at Facebook next summer.

Charlie Miller, a researcher at Accuvant known for finding holes in iOS 5 and Safari, praised the card. "Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs," he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive.

"Whenever possible we're going to try to load-in White Hat researchers into products early--as soon as (they are) in production," McGeehan said. Thus Facebook "will get an early warning on anything they find."

Updated January 4 at 2:05 p.m. PT: to correct that Miller praised the card but has not received one.