To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Here's how it works:
Eligibility To qualify for a bounty, you must: Adhere to our Responsible Disclosure Policy: ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ... Be the first person to responsibly disclose the bug Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF/XSRF) Remote Code Injection Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.) Our security team will assess each bug to determine if qualifies.
Rewards A typical bounty is $500 USD We may increase the reward for specific bugs Only 1 bounty per security bug will be awarded
Exclusions The following bugs aren't eligible for a bounty (and we don't recommend testing for these): Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name]) Security bugs in third-party websites that integrate with Facebook Security bugs in Facebook's corporate infrastructure Denial of Service Vulnerabilities Spam or Social Engineering techniques
Sounds interesting.
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 10:38 am
by Avalanche
Looks like they are preparing for Anon.
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 3:29 pm
by Goseki
$500 is moot. Seems more of a publicity stunt. If they really wanted someone to hack them they would offer closer to $5000. I doubt a major hacker would waste his time on that.
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 5:10 pm
by CrimsonNuker
Wait, you have to be from North Korea?
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 5:39 pm
by *BlackFox
Pretty cool idea... But "$500" seems pretty low for such a large site. Don't ya think?
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 6:48 pm
by Majorharper
Am I naive or are they too lazy to look for their own bugs so instead of paying a guy 50$ an hour to look for specific bugs, hey tell 100,000,000 people to look for bugs so that a person getting payed 10$ an hour can filter hundres of thousands of emails that people will write a bunch of stupid useless bullshit to try to get $500? *sigh* what a lazy community we live in...
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 7:32 pm
by Vaya
500$ is the minimum..
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 8:46 pm
by omier
CrimsonNuker wrote:Wait, you have to be from North Korea?
Do they even have Internet there?
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 8:58 pm
by Toshiharu
K.K wrote:500$ is the minimum..
It says a -typical- bounty is $500. Reward is pathetic even if that number changed to x4 more.
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 10:31 pm
by MrTwilliger
I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 10:31 pm
by MrTwilliger
I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!
Re: Facebook Bug Bounty
Posted: Fri Sep 02, 2011 10:46 pm
by omier
MrTwilliger wrote:I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!
U could even buy loads of these: .
Re: Facebook Bug Bounty
Posted: Sat Sep 03, 2011 12:14 am
by Toshiharu
MrTwilliger wrote:$500 is a lot more money than you think, imagine all the gummy bears you could buy with that!
Not when you can find a potential bug that could ruin facebook for day(s) and get paid $500 for it, leak information, etc etc. There's a reason why they hire people to try and hack their system. There's a reason why they hire people that hacked their system.
This is just a way to fix dangerous bugs against facebook while paying little to nothing.
Re: Facebook Bug Bounty
Posted: Sat Sep 03, 2011 12:41 am
by The Invisible
Toshiharu wrote:
MrTwilliger wrote:$500 is a lot more money than you think, imagine all the gummy bears you could buy with that!
Not when you can find a potential bug that could ruin facebook for day(s) and get paid $500 for it, leak information, etc etc. There's a reason why they hire people to try and hack their system. There's a reason why they hire people that hacked their system.
This is just a way to fix dangerous bugs against facebook while paying little to nothing.
I guess they would pay thousands for such a bug depending on what ruin means.
