Facebook Prepares to Launch Bug Bounty Program
Facebook is working on setting up a bug bounty program that would encourage security researchers to discover vulnerabilities on its platform and report them responsibly.
Mr. Joe Sullivan, Facebook's chief security officer, told us today at the Hack in the Box Amsterdam 2011 security conference that the company is currently testing such a system and hopes to launch it soon.
Vulnerability reward programs are not new. In fact, they've been around since the Netscape era.
In 2004 Mozilla introduced a bug bounty system for vulnerabilities discovered in Firefox, then last year Google did the same for Chromium, the open source project behind Google Chrome.
However, it was Google that began rewarding vulnerabilities found in its web services first, a move that was mirrored by Mozilla a month later.
Facebook has a pretty good relationship with security researchers already and many of them are reporting vulnerabilities to the company responsibly.
In fact, Facebook is one of the few companies that explicitly state in their official policies that as long as the vulnerability reporter doesn't exploit it to damage the system or compromise the data, it will not take legal action against them or notify the authorities.
This might seem common sense to many and it is how most large vendors do act in practice, but Facebook is one of the very few that guarantee it in writing : https://www.facebook.com/security?v=app_6009294086
Bug bounty programs are not only about rewarding researchers, which is an honorable thing to do, but also about drawing security attention towards a particular product or service.
Since more people will be interested to poke around it and uncover flaws, the system will become more and more secure and there will be less flaws for cyber criminals to find.
No details about the program's possible payouts or rules have been released, but we're hoping the rewards will at least match those offered by Mozilla and Google.
Source : http://news.softpedia.com