Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform.
Last year, Facebook launched “Data Abuse Bounty” program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users’ data and passing it off to malicious parties, violating Facebook’s revamped data policies.
Apparently, it turns out that most of the time, Facebook users’ data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services.
The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase.
Because of this communication gap between researchers and the affected app developers, Facebook’s security programs for 3rd-party apps and websites were, until now, just limited to “passively observing the vulnerabilities.”
Though Facebook already once expanded its bug bounty program for 3rd-party apps late last year, the scheme was only limited to valid report submissions for the exposure of Facebook users’ access tokens that allow people to log into another app using Facebook.
Efforts to Encourage Collaboration b/w Hackers and Developers
Now, to encourage third-party app developers to take the security of their apps more seriously and set up a vulnerability disclosure program, Facebook has decided to pay white-hat researchers from its own pocket even if app developers don’t have their own bounty program.
“Although these bugs aren’t related to our own code, we want researchers to have a clear channel to report these issues if they could lead to our users’ data potentially being misused,” Facebook says.
“We also want to incentivize researchers to focus on apps, websites, and bug bounty programs that otherwise may not get as much attention or may not have resources to incentivize the bug bounty community.”
“By committing to rewarding valid reports about bugs in third-party apps and websites that impact Facebook data, we hope to encourage the security community to engage with more app developers.”
In other words, app developers can take advantage of this program by simply setting up their own vulnerability disclosure policy, which would then help researchers to be eligible for finding bugs in their code and claim rewards from Facebook.
That’s because a report of a vulnerability in third-party apps submitted to Facebook will only be considered valid when researchers include proof of authorization granted by the third-party developer when submitting their reports to Facebook’s bug bounty program.
However, if the third-party developers already have their own bug bounty program, researchers can claim rewards from both parties.
Reward from Facebook will be issued depending upon the potential impact and severity of the responsibly reported vulnerability, with a minimum payout of $500.
Bug bounty programs for data abuse and 3rd-party apps affecting the whole ecosystem are a growing trend in cybersecurity. Most recently, Google also expanded its Pay Store bounty program to reward hackers for finding bugs in any Android app that has more than 100 million downloads.
However, in that case, Google takes responsibility to collaborate with app developers, while Facebook’s latest scheme is also a great way to let researchers directly work with third-party developers.