Facebook’s bug bounty program is one of its most effective methods for detecting problems on the site. Using the program, independent developers and researchers can report Facebook security flaws to the company itself and collect a cash reward. However, Facebook announced this week that it’s expanding the program to also include third-party apps.
According to the company, it wants its informal network of bug hunters to look out for apps and websites that have “improper exposure” to Facebook user access tokens, which allow third parties to obtain our data. It makes sense Facebook would be sensitive about this particular issue; the Cambridge Analytica scandal that rocked the company earlier this year centered around an app that improperly obtained the data of tens of millions of users.
“This is part of our ongoing efforts to improve the security and privacy of people who use Facebook,” security engineering manager Dan Gurfinkel wrote in a blog post announcing the change. “We want researchers to have a clear channel to report these important issues when they find them, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”
In a perfect world, Facebook would be able to detect every flaw in its own security by itself. However, crowdsourcing it is the next best thing, and as long as it results in stronger protection for users, that’s all that matters.