"To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs," Facebook wrote on a page entitled "Security Bug Bounty."
To qualify for the bounty, you must be the first to report the security glitch, and the bug must be native to Facebook (not in, say, Farmville). Furthermore, disclosures must be "responsible" and you need to give Facebook a reasonable amount of time before reporting the bug publicly, as security researchers often do through blog posts to warn its users.
Although $500 is just the base, it pales in comparison to what other companies offer, like Google's $3000+ and Mozilla's $3,000 bounties.
This isn't for catching bugs, but if you're looking for a real payout the Business Software Alliance says tipsters who report their company's illegal use of unlicensed software could reap up to $1 million. Microsoft offers a $250 million bounty for information that could lead to the arrest of the Rustock botnet operators.
A security researcher cited in ComputerWorld says reporting Facebook bugs can help budding security researchers make a name for themselves in the tight-knit security community.
"The dollar amounts may be smaller than other markets for security research, but bounty programs lead to a better relationship with the security community and improve the security of the service much faster than a similar resource spend in a traditional security audit," said HD Moore, chief security officer of Rapid7.
Facebook, like Microsoft and Google, has been known to hire grey hat hackers in the past; most recently it scooped up famed Playstation 3 hacker George "Geohot" Hotz.
Editor's note: This story was corrected on August 2, 10:31am ET to clarify reference to Microsoft's bounty for information on the Rustock botnet operators; Microsoft does not offer a "bug" bounty.