29 Jul 2011

Facebook joins bug bounty bandwagon

On July 29, Facebook will begin paying hackers who report internet security vulnerabilities affecting the popular social media website.

In adopting the practice of giving cash pay-outs to friendly hackers, Facebook joins the ranks of other major websites and tech companies to do so, including Google and Mozilla. Facebook will pay the same $500 base rate as Google to users who report a bug that requires containment action, and will increase payment depending on the severity of the threat. A Google spokesman told PCWorld the company has disbursed about $300,000 since their monetary rewards program began last year.

Alex Rice, Facebook's product security lead, told PCWorld the website already receives 30 to 50 reports from hackers each week, mainly about common vulnerabilities like cross-site scripting errors.

PCWorld describes the purpose of these bounty programs as providing incentive for hackers to tell tech companies about vulnerabilities rather than announcing discoveries publicly, which exposes users to risk by giving cyber criminals an opportunity to exploit security loopholes before they can be fixed.

In November 2010, a bug in Facebook's system to detect fake profiles shut down thousands of user accounts.