Facebook pays out €28,000 to 'whitehat' hackers
Facebook is paying out an average of more than €1,100 per day to outside security experts to act as "bounty hunters" by finding bugs in its software that could be exploited by malicious hackers.
The three-week-old project has already handed out rewards totalling around €28,000, including more than €5,000 to one individual who has reported six potential vulnerabilities.
The largest single payment of more than €3,300 went to a security expert who made a “one really good report”, said Joe Sullivan, Facebook’s chief security officer.
“The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code” he said.
The Bug Bounty Program has also been well-received by security commentators, who are often critical of the way large companies respond to bug reports.
“Whitehat” hackers, who do not exploit the vulnerabilities they come across, have in the past found themselves the subject of criminal investigations after telling service providers about them.
Facebook’s own internal security team also scour the millions of line of software code that run the world’s biggest social network for vulnerabilities that could allow malicious hackers to steal data, but the Bug Bounty Program is a formal invitation for outsiders to help.
“We received really positive feedback when we launched our responsible disclosure policy last year, in which we told researchers we would not take adverse actions against them when they followed the policy in reporting bugs,” said Mr Sullivan.
“We are one of the first companies to clearly lay out our policy in order to make those who discover vulnerabilities more comfortable in reporting, and we are happy to see that other organizations are adopting a similar stance.”
Google launched a similar scheme last year, which initially covered the open source project allied to its Chrome browser, but was later expanded to invite whitehat hackers to probe its, websites including google.com and youtube.com. TippingPoint, a corporate security vendor owned by HP, also pays cash rewards for new vulnerabilities.
Facebook does not reward all hacking, however.
Earlier this month Glenn Mangham, a 25-year-old student from York, appeared at Westminster Magistrates’ Court on five charges related to hacking into Facebook. The firm said no user data was compromised.