Facebook expanded its bug bounty program for searching for bugs in third-party services integrated with the social network. Now researchers will be able to claim a reward for code errors that they have discovered both by passive observation and using special utilities.
Facebook Security Engineering Manager Dan Gurfinkel explained that the company will only consider bug reports after specialists report them to the creators of the vulnerable services.“Although these bugs aren’t related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users’ data potentially being misused”, — writes Dan Gurfinkel.
This allows white-hat hackers to receive money twice – first from program developers, and then from a social network. The minimum reward that Facebook plans to pay for such bugs is $500 and there is no upper limit.
The update removes the restriction that Facebook set in 2018 when third-party application errors were first included in its bug bounty program. Then rewards were paid only for vulnerabilities that were discovered without interfering with the operation of services.
Read also: Microsoft and NIST will teach business how to install patches
Gurfinkel noted that updating the bug bounty of the largest social network will draw the attention about information security specialists to the services of small companies. This will help to improve the security of their products to those developers who cannot afford expensive programs to find bugs.
“With this expansion, we believe we can not only enhance the security of Facebook users but also the larger app developer ecosystem.”, — reported Dan Gurfinkel.
According to Facebook, in 2018, the social network paid $1.1 million to white-hat hackers. During this period, more than 700 researchers received awards, and the company received almost 18 thousand reports of possible errors.
In some cases, Facebook pays for vulnerabilities that are not formally covered by the program. At the beginning of 2019, specialists who discovered a bug in the Fizz protocol received a reward of $10 thousand – it protects the data of Facebook web services. The hole allowed to cause critical errors in the operation of the social network, including mobile applications.