Saturday, July 30, 2011

Facebook to Hackers: Find Bugs and Get Paid

Good news for hackers. Social networking giant Facebook has announced a bug bounty program, in which it will pay hackers for finding and reporting security flaws on its Web site. People who can figure out significant problems with the site will get paid a hefty amount, starting at a base rate of $500. The amount will go up as per the significance of the flaws found.

"If you believe you've found a security vulnerability onFacebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem," Facebook says in itsWhitehat page, where researchers can sign up for the program and report bugs.

However, Mark Zuckerberg-led Facebook, has made one point clear that it will not pay all but those hackers/researchers who stick to its Responsible Disclosure Policy. Researchers will have to maintain privacy about any vulnerability issue until Facebook fixes the hitch.

Facebook's Responsible Disclosure Policy reads like this:

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

According to Facebook, only registered researchers will be allowed to set up test accounts to ensure that no terms have been violated and other Facebook users remain intact.

Facebook has hired many engineers after they came up with security bugs on the site. Recently, the social networking juggernaut hired iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz. Hotz is now working on security issues related to the Web site.

The vulnerabilities that could qualify for the bounty include: Cross-Site Request Forgery (CSRF/XSRF), Cross-Site Scripting (XSS) and Remote Code Injection. According to multiple reports, a CSRF vulnerability is being aggressively used to trap users into spreading a survey scam through a series of social engineering tricks.

The bugs that are excluded from the bounty program are: Security bugs in third-party applications, Security bugs third-party websites that integrate with Facebook, Security bugs in Facebook's corporate infrastructure, Denial of Service Vulnerabilities and Spam or Social Engineering techniques.

Facebook is not the first company to offer bounties for bugs. Search engine giant Google, Mozilla and Hewlett-Packard (HP) also tried bug bounty programs.

Mozilla announced its bug bounty program in 2004, offering $500 to $3000 for every serious bug found by security researchers, Cnet reported.

Google announced cash for finding security holes in its Web site in 2010. Its payments range between $500 and $3,133.70, depending on the vulnerability of the problem.

When it comes to HP, it does not reveal the amounts publicly it pays researchers.