Facebook recently rolled out a program we thought was a good step, bounties paid to hackers to find and report bugs, rather than exploit them. So far that payout has totaled around $40,000, no small sum for the aspiring hackers, and probably a boon for Facebook’s efforts to proactively fix security issues before a potential catastrophe. Facebook, so far is happy with the results, saying the program “in a short time has proven valuable beyond our expectations.”
The bug bounty program, launched only three weeks ago, follows in a similar concept that other organizations have implemented, like Google, Mozilla and others. Facebook states, “We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security.”
The average payout, in case you want to bone up your whitehat hacking sk1llz, was $500. In one case, however, Facebook paid out $5000 to one hacker who provided a “one really good report”, according to the company. Also, the company paid out $7000 to one researcher who pointed out 6 different issues.
They’ve had to deal with their fair share of false reports, from people who were “just looking for publicity”, which is probably to be expected. Also, they say it’s impractical to extend the program to cover third party applications (though I’m sure they get a lot of requests), since third parties have their own development/bugfix pipeline.
It will be interesting to note if Facebook views the bounty recipients as potential new hires. A similar situation recently occurred with Google+ hiring Florian Rohrweck after he poked around in their code and was able to find a series of unreleased features. Now he’s working for Google, helping secure the code. Either way, we think the program sends the right signals to hackers to stay away from the “dark side”, and help fix the problems. They’ll sleep better knowing they’re helping the world with their talents, and so will the rest of us.
ESET Research Systems Manager