Meta is getting serious about its bug bounty program
Over the past 10 years, the company’s bug bounty program has grown from just Facebook’s website to covering all of its web and mobile clients across all of its apps, services and companies including Instagram, WhatsApp, Quest, Workplace and more.
In fact, since 2011 Meta has paid out over $14m in bug bounties and received more than 150k reports of which 7,800+ were awarded a bounty. So far this year, the company has received around 25k reports and issued bounties on over 800 reports.
Meta designed its bug bounty program to remain agile from the beginning so that it could pivot in response to emerging risk areas as it did with platform abuse after Cambridge Analytica as well as with attacks targeting access tokens in 2018. Now the company plans to focus on expanding its bug bounty program to address new risk areas as well as creating new initiatives to recruit and retain security researchers.
Covering scraping and unprotected datasets
As scraping continues to be an internet-wide challenge for tech companies, Meta has announced in a new blog post that it will open up two new areas of research for its HackerPlus bug bounty community.
Beginning as a private bounty track for the company’s Gold+ HackerPlus researchers, its bug bounty program will now reward reports about scraping bugs. The goal of this program is to find bugs that attackers are utilizing to bypass scraping limitations in order to access data at a greater scale than is intended in its products.
Meta aims to be able to quickly identify and counter scenarios that might make scraping less expensive to execute. It’s worth noting that this is the the industry’s first bug bounty program for scraping and hopefully, other tech giants will follow suit.
Additionally, Meta is expanding its data bounty program to reward reports of unprotected or openly public datasets containing at least 100,000 unique Facebook user records which include information such as users’ emails, phone numbers, physical addresses, religion or political affiliation. However, the reported data set must be unique not previously known or reported to the company.
At the same time, Meta will reward valid reports of scraped data sets in the form of charity donations to nonprofits of a researcher’s choosing to ensure that the company is not incentivizing scraping activity.
Go to Source