Facebook has launched a security bug bounty program through which it will pay security researchers for discovering and privately reporting vulnerabilities in its platform.
Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook’s Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.
“If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”
In addition, only researchers who report a vulnerability for the first time qualify for the reward. If two researchers happen to find the same bug independently, the first one who reports it gets the money.
The types of vulnerability that qualify for rewards are: cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF) and remote code injection. Also, the exploit must compromise the integrity and privacy of Facebook user data.
While a typical payout is $500, the rewards can be increased in special cases, although the company specify any criteria for this. It’s also worth noting that only residents of countries that are not under United States sanctions qualify. Researchers from North Korea, Libya, Cuba and other similar countries won’t be eligible to receive rewards.
Vulnerabilities in third-party Facebook applications and websites that integrate with the platform will not be rewarded, and neither will those in Facebook’s corporate infrastructure, those who lead to denial of service conditions or spam and social engineering techniques.
Facebook’s decision to launch a security bug bounty program for its web platform follows similar decisions by Google and Mozilla to extend their security reward efforts to their web properties.