Facebook launches bug bounty program

Researchers can make $500 or more for reporting security holes on Facebook.com.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read

Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.

Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.

"Typically, it's no longer than a day" to fix a bug, Facebook Chief Security Officer Joe Sullivan told CNET in a conference call.

Facebook's Whitehat page for security researchers says: "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.

"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)

Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.

Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.

Related stories
How to follow Facebook pages anonymously
Control who can view your Facebook photos
How to move your Facebook photos to Google+

Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.

Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.