Facebook bounty program earns security researchers $40,000

By Lee Kaelin on August 30, 2011, 5:30 PM

A new bug bounty program launched by Facebook has spent more than $40,000 in its first 21 days, with one security researcher earning over $7,000 for finding six severe bugs in social networking behemoth's code. Facebook has long been the target of cyber criminals who frequently use the site to sell fake goods, send spam, and even mine personal information thanks to the site's lacklustre and confusing privacy settings.

While Facebook already has an in-house team dedicated to finding and resolving bugs, this new program takes it a step further by paying outsiders to submit vulnerabilities. In a blog post yesterday, Facebook Chief Security Officer Joe Sullivan took the opportunity to comment on the bug bounty program, saying it proved highly useful.

"We realize, though, that there are many talented and well-intentioned security experts around the world who don’t work for Facebook. Over the years, we have received excellent support from independent researchers who have let us know about bugs they have found.  A couple of years ago, we decided to formalize a “whitehat” program to encourage these researchers to look for bugs and report them to us...We established this bug bounty program in an effort to recognize and reward these individuals for their good work and encourage others to join," said Sullivan.

This program is a step forward, aiming to increase security and reduce vulnerabilities in Facebook's own code. Unfortunately, the site's anti-bug initiative doesn't include unsafe third party applications that have long plagued Facebook users -- most of which are unaware of the potential implications of using them.

It's worth noting that Mozilla and Google offer similar initiatives for their web browsers, paying external security experts thousands of dollars to responsibly disclose software vulnerabilities.




User Comments: 4

Got something to say? Post a comment
Emin3nce said:

No amount of security can protect users with the password "password".

Guest said:

Its easy dont allow user to use stupid password. Require strong password, easy enough.

StrayEagle said:

Guest said:

Its easy dont allow user to use stupid password. Require strong password, easy enough.

Correcthorsebatterystaple? :P

http://xkcd.com/936/

NTAPRO NTAPRO said:

Good to know some effort is being put in to this. Dunno why people would put their phone number on Facebook and complain when unknown people call...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.