Facebook decided to pay hackers in the expansion of its bug bounty program. This is a way to enhance the security of third-party apps and websites that integrate with its platform, as Facebook users’ data that had been misused was exposed mainly as the result of a vulnerability or security weakness in third-party apps or services.
Last year, Facebook launched “Data Abuse Bounty“ program, which rewards anyone reporting valid events of third-party apps collecting Facebook users’ data and passing it off to malicious parties, violating Facebook’s improved data policies.
Very few of the millions of third-party apps in the Facebook ecosystem have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase.
Facebook’s security programs for third-party apps and used to be limited to “passively observing the vulnerabilities,” as there was a communication gap between researchers and the affected app developers.
Facebook expanded its bug bounty program for third-party apps, last year, but this was still limited to valid report submissions for the exposure of Facebook users’ access tokens that allow people to log into another app using the platform.
Now, Facebook has decided to pay white-hat researchers even if app developers don’t have their own bounty program. “Although these bugs aren’t related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users’ data potentially being misused,” Facebook announced recently.
“We hope to encourage the security community to engage with more app developers.”
It means that app developers can take advantage of this program by setting up their own vulnerability disclosure policy, which would then help researchers to be eligible for finding bugs in their code and claim rewards from Facebook.
A report of a vulnerability in third-party apps submitted to Facebook will only be considered valid when researchers include proof of authorization granted by the third-party developer when submitting their reports. If the third-party developers already have their own bug bounty program, researchers can claim rewards from both parties.
The minimum reward from Facebook will be of $500, and it will depend upon the potential impact and severity of the reported vulnerability.