Facebook launches bug bounty program to report data thieves

The social network will pay anyone who can find apps like the one at the heart of the Cambridge Analytica scandal.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
A new employee sits at a computer during Facebook's engineering bootcamp
Enlarge Image
A new employee sits at a computer during Facebook's engineering bootcamp

Facebook is paying anyone who reports data abuse from app developers, as part of its bug bounty program.


Facebook is willing to pay the price to find the next Cambridge Analytica.

The social network launched its data abuse bug bounty program on Tuesday, just hours ahead of CEO Mark Zuckerberg's testimony to the Senate judiciary and commerce committees in Washington, DC. The bug bounty program is asking people to report any apps that abuse data on Facebook, and it offers a reward based on how severe the abuse is. 

"While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention," Collin Greene, Facebook's head of product security, said in a post.

The new program comes almost a month after The New York Times and the UK's Observer and Guardian papers revealed that Cambridge Analytica, a voter profiling firm, took advantage of a Facebook app to siphon off personal information on 87 million people. The scandal has fanned the flames of a backlash against Facebook by lawmakers and users.

At the hearing on Tuesday, Zuckerberg said the bug bounty program was one of many steps Facebook was taking to improve its security. 

"In general, bounty programs are an important part of the security arsenal for hardening a lot of systems," the Facebook CEO said. 

If Facebook's bug bounty program were in place in 2015, and a user reported Cambridge Analytica's data abuse then, the social network would have considered it a "high impact" report, Pete Voss, a Facebook spokesman, said. 

"Those high impact rewards, we look to pay upwards of $40,000," Voss said. "We're really going off impact, and taking these pretty seriously."

The highest amount Facebook has ever paid for a reported bug was $40,000, Voss said. 

Watch this: What you need to know about Facebook's Zuckerberg testifying on Capitol Hill

Facebook has changed how much information apps can access, and said it's auditing every app that had access to a large amount of people's data. Facebook's COO, Sheryl Sandberg, said the company has been hunting for another Cambridge Analytica, and it has since bounced other data analysis firms, including AggregateIQ and CubeYou. 

As part of the new program, Facebook would inform the people affected by the reported app's abuse. But the company doesn't plan on making knowledge of the abuse public, only opting to notify the people affected by it, Voss said. 

That policy is subject to change, Voss added, as Facebook looks to grow its bug bounty program. 

"We're focused on really making sure the people who are impacted are aware," Voss said. "But this is day 1 of our data abuse bounty. We're open to feedback." 

Bug bounty programs are common in cybersecurity, with companies paying researchers who find vulnerabilities that hackers could abuse. Facebook said its data abuse bounty is the first where the focus is on misuse of data by app developers. 

The company initially announced the program in March, but officially launched it Tuesday. 

First published April 10, 7:44 a.m. PT.
Update, 8:54 a.m. PT:
Includes statements from a Facebook spokesman.
Update, 2:48 p.m. PT: Includes remarks from Mark Zuckerberg.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.