August 30, 2011
Facebook Has Paid $40,000 So Far For Bug Alerts
Facebook said on Tuesday that it has spent $40,000 so far on a program that rewards the discovery of security bugs.The program's goal is to encourage security researchers to help harden Facebook against attack.
One security researcher has been rewarded with over $7,000 for findings six serious bugs in the social networking site.
The program runs alongside Facebook's efforts to police the code it creates to keep the site up and running.
Facebook's chief security officer Joe Sullivan revealed some information about the early days of the bug bounty program in a recent blog post.
He said the program had made Facebook more secure by introducing the networking site to "novel attack vectors, and helping us improve lots of corners in our code."
Sullivan said: "There are many talented and well-intentioned security experts around the world who don´t work for Facebook.
"It has been fascinating to watch the roll-out of this program from inside Facebook. First, it has been amazing to see how independent security talent around the world has mobilized to help."
He said the minimum amount paid for the discovery of a bug is $500, and the maximum is up to $5,000. Sullivan said the maximum amount has already been paid once.
Many cyber criminals and vandals target Facebook to extract useful information from people, promote spam or peddle fake goods.
Sullivan said Facebook had internal bug-hunting teams, used external auditors to vet its code and ran "bug-a-thons" to hunt out mistakes but it regularly received reports about glitches from independent security researchers.
Graham Cluley, senior technology consultant at Sophos, said the bug scheme might be missing the biggest source of security problems on Facebook.
"They're specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like," he told BBC. "It's those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people."
On the Net: