Last Friday Facebook posted an announcement on the Facebook Security page outlining a new program that will provide bug bounty payments of $500 dollars to security researchers who report certain bugs to the company while also adhering to its ‘responsible disclosure’ policy.
Facebook said only one payment per bug will be awarded when meeting its criteria, and that some bounties may pay out at a higher rate on a case-by-case basis.
According to the Facebook responsible disclosure policy, researchers must report bugs to the social networking site and provide it with “reasonable time to respond” before making any of the information public. This is in addition to making “a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of” the Facebook service while researching any security vulnerabilities.
Facebook provided examples of the types of bugs that could be eligible for bounty payment, which must “compromise the integrity or privacy of Facebook user data”: cross-site scripting (XXS); cross-site forgery request (CSRF/XSRF); and remote code injection.
The company went on to say that researchers who submit security flaws for a bounty cannot reside in a country currently facing US sanctions, nor could the vulnerabilities come from the following list: security flaws in third-party apps; security flaws in third-party websites that integrate with Facebook; security flaws in Facebook’s corporate infrastructure; denial-of-service vulnerabilities; and spam or social engineering techniques.
In response, Facebook has created a Whitehat portal where security researchers can submit suspected vulnerabilities.