Facebook bug bounty program

Companies and business are observed confiding to users perceptions before taking a decision on an important issue or planning on their next move. The end user of a product or service is most likely to know both the good and bad implications of it. But a few years back brands started hiring professionals in a bid to identify loopholes in the solution/apps that may prove fatal for companies as well as their customers or users. Despite all checks and balances, it’s always difficult to tag a solution/platform with ‘an absolute secure’. The always evolving need of a business keep offerings vulnerable to a certain extent.

Facebook Inc. (NASDAQ:FB) has been known to police itself since its inception, but in the wake of ongoing data breach scandal, the social media giant has decided to cut user some slack. Facebook launched a program yesterday that is called Data Abuse bounty. The purpose is pretty obvious; it will reward the users who report any data breach or misuse of data by app developers.

Facebook Bug Bounty Program Targets Malicious Apps

If someone has an evidence or first-hand knowledge about any app that is violating Facebook’s terms of services by collecting and transferring users’ data to another party to be sold, stolen, or used for political influence or scams, they can notify Facebook through this program. If the data abuse report is confirmed, Facebook will “shut down the offending app and take legal action against the company selling or buying the data, if necessary“. Facebook has not said anything about a maximum reward for a successful trip, but this program is inspired by the existing bug bounty program, and people who brought “high impact bud reports” to attention have been rewarded with up to $40,000. Facebook says it will review all the legitimate reports and respond the users about the credible threat to their data as quickly as possible. The payout will be based on the impact of each report and also the people Facebook believes to be affected will be alerted subsequently.

This move resonates with Facebook’s previous steps like disabling the search tool so that ‘malicious actors’ don’t misuse people’s data. Also recently, Facebook announced that it is coming up with an unsend feature in messenger after Zuckerberg’s messages were secretly retracted from users’ inboxes; one can’t be fairly certain how this will better the scenario, for both users and Facebook. Considering the recent backlash, the social network turning to its users and incentivizing them seems only logical at this point. Obviously, this won’t suffice the users whose data was compromised in Cambridge Analytica files; what price can one put on his personal data, right? But, this step is likely to obstruct any data abuse through suspicious apps in future.

Despite Facebook’s indiscretions and current ambivalence of users, the social network has managed to roll out reasonable changes in its privacy terms and data use policy. It has restricted apps for accessing information by limiting Facebook login data, besides making changes in policies regarding political ads. A new initiative has been announced to assess the role of Facebook in elections.

Companies making use of bounty programs is not new. Software security researchers are increasingly engaging with bounty programs to hunt down vulnerabilities. Bugcrowd and HackerOne, both launched in 2012, have become popular in the growing bug bounty market. They have a bug-hunting community of white hat hackers.

SecurityTrail, a Security and Intelligence firm, has a data bounty program for finding particularly interesting cases in their 30TB data set. Furthermore, the search engine giant Google paid a hefty $2.9 million in bug bounties in 2017. Some other reputed companies who announced bounty programs in 2018 are:

  • Intel – offering a maximum payout of $30,000 for detecting critical bugs in their hardware, software or firmware
  • Cisco – offering a bounty for some serious vulnerability;
  • Apple – launched its bug bounty program to breach Apple’s Secure Enclave Technology. The Cupertino giant had launched its first ever bug bounty program in September 2016, offered up to $200,000 for successfully finding vulnerabilities in its products.