Facebook on Monday said its bug bounty program has already paid out more than $40,000 to those who have identified vulnerabilities on the social-networking site. It also offered clarification about how the program works.
"During the past three weeks, Facebook has paid more than $40,000 to security experts around the world. One person has received more than $7,000 for 6 different issues flagged," Joe Sullivan, Facebook's chief security officer, wrote in a blog post.
Another person got $5,000 for "one really good report," he said.
Given those payouts, Sullivan wanted to clarify that Facebook is offering more than $500 as bounties. "Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program," he said. That led to some confusion, but Facebook wants security experts to know; finding a bug on the site could land you thousands, not just $500.
That being said, Sullivan acknowledged that Facebook has had to contend with "bogus reports from people who were just looking for publicity," so make sure your complaint is legit.
At this point, the bug bounty program only applies to the main Facebook Web site; there are no plans to extend it to the Facebook Platform, which houses third-party apps.
"Unfortunately, that's just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform," Sullivan wrote. "We have a dedicated Platform Operations team that scrutinizes these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications. People on our site agree that our protections, coupled with common sense, provide a rigorous level of security."
The program "is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment," he said. "Facebook truly does have the world's best neighborhood watch program, and this program has proven that yet again for us."
Facebook's efforts to engage the security community in identifying bugs dates back several years, via a formalized "whitehat" program. There has long been a concern among security professionals that notifying companies about vulnerabilities might result in lawsuits or criminal prosecutions. But Facebook said it "worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information." Offering a bounty, the company said, took that program to the next level.