Posts tagged: Bug Bounty

Dec 31 2011

Facebook Debit Card for White Hat Hackers

Facebook Debit CardA few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check.

Some security researchers are getting a customized “White Hat Bug Bounty Program” Visa debit card.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to their accounts.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

“Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, manager of Facebook’s security.

Besides holding cash value, the White Hat card may proffer other advantages. “We might make it a pass to get into a party,” for instance, McGeehan said. “We’re trying to be creative.”

The most Facebook has paid out for one bug report is $5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said.

Szymon Gruszecki, a Polish security researcher and penetration tester; Neal Poole, a junior at Brown University who will be an intern at Facebook next summer; Charlie Miller, a researcher at Accuvant known for finding holes in iOS 5 and Safari, praised the card. “Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs,” he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive.

“Whenever possible we’re going to try to load-in White Hat researchers into products early–as soon as (they are) in production,” McGeehan said. Thus Facebook “will get an early warning on anything they find.”

Jul 30 2011

Facebook To Start Paying Security Bug Bounty

Facebook Bug BountyFacebook is the most recent company to come to the bug-bounty party, officially announcing recently that-

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”

Here’s how it works:

Eligibility:
To qualify for a bounty, you must:

  • Adhere to our Responsible Disclosure Policy
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Facebook security team will assess each bug to determine if qualifies.

Rewards:

  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded

Exclusions:
The following bugs aren’t eligible for a bounty:

  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook’s corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Sign Up: Facebook Official Bug Bounty Page