Facebook Bug Bounty

Vaya · **Joined:** May 2009 **Posts:** 1848 **Location:**

http://www.facebook.com/whitehat/bounty/

Quote:

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Here's how it works:

Eligibility
To qualify for a bounty, you must:
Adhere to our Responsible Disclosure Policy:
... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
Be the first person to responsibly disclose the bug
Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSRF)
Remote Code Injection
Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if qualifies.

Rewards
A typical bounty is $500 USD
We may increase the reward for specific bugs
Only 1 bounty per security bug will be awarded

Exclusions
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
Security bugs in third-party websites that integrate with Facebook
Security bugs in Facebook's corporate infrastructure
Denial of Service Vulnerabilities
Spam or Social Engineering techniques

Sounds interesting.

Avalanche · **Joined:** Jan 2006 **Posts:** 3606 **Location:**

Looks like they are preparing for Anon.

Goseki · **Joined:** Apr 2008 **Posts:** 3452 **Location:**

$500 is moot. Seems more of a publicity stunt. If they really wanted someone to hack them they would offer closer to $5000. I doubt a major hacker would waste his time on that.

CrimsonNuker · **Joined:** Aug 2006 **Posts:** 13791 **Location:**

Wait, you have to be from North Korea?

*BlackFox · **Joined:** Sep 2008 **Posts:** 7923 **Location:**

Pretty cool idea... But "$500" seems pretty low for such a large site. Don't ya think?

Majorharper · **Posted:** Fri Sep 02, 2011 6:48 pm

Am I naive or are they too lazy to look for their own bugs so instead of paying a guy 50$ an hour to look for specific bugs, hey tell 100,000,000 people to look for bugs so that a person getting payed 10$ an hour can filter hundres of thousands of emails that people will write a bunch of stupid useless bullshit to try to get $500? *sigh* what a lazy community we live in...

Vaya · **Joined:** May 2009 **Posts:** 1848 **Location:**

500$ is the minimum..

omier · **Joined:** Aug 2006 **Posts:** 5985 **Location:** ...

CrimsonNuker wrote:

Wait, you have to be from North Korea?

Do they even have Internet there?

Toshiharu · **Joined:** Feb 2008 **Posts:** 4222 **Location:** Nowhere

K.K wrote:

500$ is the minimum..

It says a -typical- bounty is $500. Reward is pathetic even if that number changed to x4 more.

MrTwilliger · **Joined:** May 2008 **Posts:** 1374 **Location:** Hiding

I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!

MrTwilliger · **Joined:** May 2008 **Posts:** 1374 **Location:** Hiding

I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!

omier · **Joined:** Aug 2006 **Posts:** 5985 **Location:** ...

MrTwilliger wrote:

I think the concept is that instead of having the "hacker communities" identify flaws and them simply do nothing productive to help facebook, it offers them a form of incentive to use their skills for a purpose. If I was a hacker, or whatever, and I spent my free time trolling around websites looking for flaws I would be thrilled to know that I could get $500 for doing what I normally do anyway. $500 is a lot more money than you think, imagine all the gummy bears you could buy with that!

U could even buy loads of these:
.

Toshiharu · **Joined:** Feb 2008 **Posts:** 4222 **Location:** Nowhere

MrTwilliger wrote:

$500 is a lot more money than you think, imagine all the gummy bears you could buy with that!

Not when you can find a potential bug that could ruin facebook for day(s) and get paid $500 for it, leak information, etc etc. There's a reason why they hire people to try and hack their system. There's a reason why they hire people that hacked their system.

This is just a way to fix dangerous bugs against facebook while paying little to nothing.

The Invisible · **Joined:** Jan 2011 **Posts:** 2626 **Location:** Home ._.

Toshiharu wrote:

MrTwilliger wrote:

$500 is a lot more money than you think, imagine all the gummy bears you could buy with that!

Not when you can find a potential bug that could ruin facebook for day(s) and get paid $500 for it, leak information, etc etc. There's a reason why they hire people to try and hack their system. There's a reason why they hire people that hacked their system.

This is just a way to fix dangerous bugs against facebook while paying little to nothing.

I guess they would pay thousands for such a bug depending on what ruin means.

Silkroad Online Forums

Facebook Bug Bounty

Who is online