Want CNET to notify you of price drops and the latest stories?

Facebook aims 'bug bounty' at in-house network

In an attempt to combat internal breaches, the social networking giant will reward researchers who spot weaknesses in its corporate network.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

Facebook is to widen its "bug bounty" program to reward researchers who spot holes in its corporate network.

According to a Bloomberg report today, the move will be announced at the Defcon hacking conference in Las Vegas.

Facebook already pays a bug bounty to outside hackers who report weaknesses in its products, but the move extends the program to its own infrastructure, too.

Rewarding "white hat" companies and individuals who unearth vulnerabilities in Web services and report them, rather than exploit them, is "not a new concept. The reasoning is thus: entice individuals with cash rewards, and you may limit the damage done by vulnerability exploits or the sale of information to the black market.

However, such a move is still fraught with risk. Hackers who may not have previously considered researching the infrastructure may now do so -- although as high profile networks are under constant attack, becoming aware of issues quickly is always the best defense possible.

As Ryan McGeehan, who runs Facebook's security-incident response unit, told Bloomberg, "If there's a million-dollar bug, we will pay it out."

Facebook's bug bounty page states that the company will currently pay a minimum of $500 for each viable report -- with no limit -- as long as the bug contains the potential to "compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook's infrastructure." These kinds of flaws include broken authentication, remote code execution and cross-site scripting.

The company will not pay out for reported security flaws in third-party applications or Web sites, denial of service or spam and social engineering techniques.