Facebook expanded bug bounty program for third-party services

by Brendan Smith
October 19, 2019

Facebook expanded its bug bounty program for searching for bugs in third-party services integrated with the social network. Now researchers will be able to claim a reward for code errors that they have discovered both by passive observation and using special utilities.

Facebook Security Engineering Manager Dan Gurfinkel explained that the company will only consider bug reports after specialists report them to the creators of the vulnerable services.

“Although these bugs aren’t related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users’ data potentially being misused”, — writes Dan Gurfinkel.

This allows white-hat hackers to receive money twice – first from program developers, and then from a social network. The minimum reward that Facebook plans to pay for such bugs is $500 and there is no upper limit.

The update removes the restriction that Facebook set in 2018 when third-party application errors were first included in its bug bounty program. Then rewards were paid only for vulnerabilities that were discovered without interfering with the operation of services.

Read also: Microsoft and NIST will teach business how to install patches

Gurfinkel noted that updating the bug bounty of the largest social network will draw the attention about information security specialists to the services of small companies. This will help to improve the security of their products to those developers who cannot afford expensive programs to find bugs.

“With this expansion, we believe we can not only enhance the security of Facebook users but also the larger app developer ecosystem.”, — reported Dan Gurfinkel.

According to Facebook, in 2018, the social network paid $1.1 million to white-hat hackers. During this period, more than 700 researchers received awards, and the company received almost 18 thousand reports of possible errors.

In some cases, Facebook pays for vulnerabilities that are not formally covered by the program. At the beginning of 2019, specialists who discovered a bug in the Fizz protocol received a reward of $10 thousand – it protects the data of Facebook web services. The hole allowed to cause critical errors in the operation of the social network, including mobile applications.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending