Many online services run their own bug bounty programs. Security researchers are encouraged to find undiscovered vulnerabilities which can then be shared with the company in exchange for a monetary reward. Facebook has a bug bounty program of its own and it’s now expanding it to cover bug reports for third-party apps as well.
Security researchers who discover and report vulnerabilities in third-party apps that connect to Facebook’s platform will get rewards. Facebook is particularly concerned about the miuse of access tokens which enable Facebook users to log into other apps and services through their Facebook accounts.
“If exposed, a token can potentially be misused, based on the permissions set by the user,” Facebook’s security engineering manager Dan Gurfinkel wrote in a blog post. “We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control,” he added.
Researchers stand to make a minimum of $500 with valid reports. The amount will increase based on the impact of the bug that’s reported. Gurfinkel elaborated that “”Importantly, we will only accept reports if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website.”
Once an issue in a third-party app comes to light, the developer will be notified and Facebook will work on them to address the issue. Those who don’t respond will be suspended until the bug is fixed and a security review is completed.
Filed in . Read more about Facebook.