Facebook has chosen to reward users for finding and reporting bugs with their website. Researchers who repeatedly report issues with the service will be paid, with payment starting at $500, with no 'ceiling' limit. However, as would be expected, the system has some guidelines that must be stuck to in order to receive payment. Those who follow the Facebook Responsible Disclosure Policy will receive their money, while those who share the exploits with others will not receive money for their contribution. Once the bug has been fixed they are allowed to go public with the information with no impact on their monetary gain.
Facebook has also rewarded those who have adhered to their policy by posting their name on the Whitehat page. The page has the following to say:
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
In addition, Facebook's chief security officer, Joe Sullivan, stated that it is "Typically, no longer than a day" taken in order to fix a bug on the site. His statement was made during a conference call with journalists from CNET. The new system of providing monetary rewards is an incentive for users. Under the previous system users were given recognition on the Whitehat page and potentially a job, though the chances of this were slim unless they consistently found fault and helped to fix it.
Facebook is also adding the ability to create test accounts, in order to aid security researchers without impacting on their own Facebook friends list, or their own account. This way, if something goes wrong then the account can be closed and the issue can be reported. Mozilla launched a payment system for those who found and helped to fix bugs back in 2004, and Microsoft has previously offered anywhere up to $250,000 for information leading to the arrest of virus writers.
22 Comments - Add comment