Facebook, like many other websites, can be rather susceptible to bugs. It’s not something that can be avoided. Bugs are pretty much part of any computer-based service – even Microsoft and Google have them. What’s more, it’s pretty hard to expect the developers to discover these bugs on their own. They’re pretty easy to overlook, after all, and sometimes it really takes a different set of eyes to spot them. This, pretty much, is the reasoning behind Facebook’s new program called “Security Bug Bounty”. A person who discovers a bug on Facebook and presents it to the company will receive a monetary reward – a bounty – of $500 minimum.
Now before anyone quits their day job and begins a new life as a Facebook bug bounty hunter (not like anybody will ever do so, but still), consider first how cheap Facebook’s offer is first. $500 is the minimum, and the amount is probably based on how serious the bug discovered actually is. This gives a high margin for increase if you do happen to come across a rather big bug. But then smaller companies such as Mozilla can offer a prize of $3,000 + a nifty Mozilla shirt and Google of $500 to $3,000. Microsoft has even offered as high as $250,000 for such reports.
But then again, if you chance upon a bug anyway, then what would the point in complaining be? Who would shy away from prize money of any sort? $500 would still be $500. If anything, those who can actually spot some bugs and tip Facebook off about them would earn some rep for their discoveries.
Of course, there are some guidelines as to what can actually be considered as a Facebook bug. For one thing, it should be an actual bug on Facebook. If the researcher found the book on a Facebook application such as Pet Society or something similar, then of course the report won’t be considered. On the other hand, if the claim is legit, then the researcher must follow a set of guidelines. He must give Facebook a “reasonable time to respond” to the bug before he can spread the word about his discovery. This helps save the company from losing face in front of the general public by giving them time to fix things. Also, this would be pretty useful when there’s a security loophole found because the researcher would be more inclined to report it to the proper authorities to get some prize money instead of spreading the word so that the loophole may be exploited.
There are several other guidelines for the researchers which you can check at the Bug Bounty Facebook page (https://www.facebook.com/whitehat/bounty/) if you’re interested. For the rest of us, though, we can just be glad that Facebook has implemented such a program because now it’ll be easier for the developers to detect vulnerability issues within the said site and subsequently fix them.