Facebook expands its reward program for data abuse reports
It now offers bug bounties for vulnerabilities found through active tests.
Facebook is broadening its data abuse bounty program to reward more security sleuths. As of today, researchers can earn at least $500 when they find Facebook data vulnerabilities in third-party apps and sites using active penetration tests, not just passive observation. They'll have to conduct the tests with the permission of the third party and honor that party's bounty and disclosure rules, but they'll have a stronger incentive to share potential data leaks than they did in the past.
This might not go as far as some would like, since the permission requirement leaves researchers in a tough spot. While this increases the chances that a third party will be aware of and fix a data flaw, it also creates problems if the app or site creator doesn't consent to testing. This doesn't stop tests, but an investigator may have to accept that neither Facebook nor the third party will pay up.
So long as most companies cooperate, though, this could lead to more disclosures and better controls for your data. Facebook has a strong financial motivation to pay more, too. Whatever it spends on bounty rewards it might save by avoiding government fines for its data security.
