Saturday, July 30, 2011

Facebook offers bounty to bug hunters

Facebook wants to give out $500

Facebook wants you to crush the bugs plaguing its online infrastructure – and it is willing to pay you a substantial amount of cash if you can. In an open letter published today, Facebook reps invited  researchers to pick through its site, and look for errors that "could compromise the integrity or privacy of Facebook user data," including scripting flaws and "remote code injections." Your reward? Somewhere in the neighborhood of $500.

In order to qualify for the bounty, users will have to abide by the Facebook "Responsible Disclosure" agreement, which asks researchers to "give [Facebook] a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research," etc.

Translation: If you find a problem with Facebook, let Facebook know, and give them time to fix that problem, instead of taking the problem straight to the court of public opinion. To help corral all these bug reports, Facebook is creating a portal for so-called White Hat researchers; as incentive, Facebook has already posted the names of folks who have already registered a "responsible" disclosure.

Sounds pretty good, right? But there are a few caveats: These bugs have to be native to the Facebook site, and not a third-party researcher. (FarmVille problems don't apply.) Also, Facebook is offering only one bounty for each bug; being late to the party won't count for anything. Of course, as Dan Goodin notes over at the Register, the bulk of folks cashing in on the Facebook bounties aren't going to be casual users. They are going to be weathered Web hands.

"The move comes as good news to legions of researchers who spend considerable time and expertise finding and reporting serious vulnerabilities in the websites and software they use," Goodin writes. "More often than not, they receive little more than a public acknowledgement in return. Microsoft, Oracle and virtually every other software manufacturer and website steadfastly refuse to pay for private bug reports, even though their products also benefit from it."

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More