In the wake of extensive mishandling of user data and a series of security missteps, Facebook has deployed a number of security and privacy initiatives. A key focus: expanding its long-standing bug bounty program. Now Facebook is courting outside hackers more aggressively than ever.
Last year, the company began paying bounties for certain bugs researchers might find in third-party services that integrate with Facebook. It will now expand the types of bugs that are eligible, and even pay out for bugs that have also been directly submitted to another developer's own bug bounty. Essentially, Facebook is willing to reward bugs that impact its platform even if a researcher has already gotten another payout elsewhere for finding it. The company is also adding bonuses from $1,000 to $15,000 if researchers find bugs in the fundamental code of its native products—like Messenger, Oculus, Portal, or WhatsApp—and then also submit additional materials, like showing how the bugs could actually be exploited in the wild. Before now, there wasn’t a specifically codified bonus structure if you went above and beyond in a submission, a practice Facebook wants to encourage.
“Reports submitted to us thanks to security researchers allow us to learn from their insights," says Dan Gurfinkel, who heads Facebook's bug bounty program. "And that allows us to catch more bugs in the future. Humans are always more creative than machines, so we want to see how they’re able to bypass our protections."