Facebook pays for security loopholes
- 30 August 2011
- From the section Technology
Facebook has spent $40,000 (£25,000) in the first 21 days of a program that rewards the discovery of security bugs.
The bug bounty program aims to encourage security researchers to help harden Facebook against attack.
One security researcher has been rewarded with more than $7,000 for finding six serious bugs in the social networking site.
The program runs alongside Facebook's efforts to police the code it creates that keeps the social site running.
A blog post by Facebook chief security officer Joe Sullivan revealed some information about the early days of the bug bounty program.
He said the program had made Facebook more secure by introducing the networking site to "novel attack vectors, and helping us improve lots of corners in our code".
The minimum amount paid for a bug is $500, said Mr Sullivan, up to a maximum of $5000 for the most serious loopholes. The maximum bounty has already been paid once, he said.
Many cyber criminals and vandals have targeted Facebook in many different ways to extract useful information from people, promote spam or fake goods.
Mr Sullivan said Facebook had internal bug-hunting teams, used external auditors to vet its code and ran "bug-a-thons" to hunt out mistakes but it regularly received reports about glitches from independent security researchers.
Facebook set up a system to handle these reports in 2010 which promised not to take legal action against those that find bugs and gave it chance to assess them.
Paying those that report problems was the logical next step for the disclosure system, he said.
Graham Cluley, senior technology consultant at Sophos, said many other firms, including Google and Mozilla, run similar schemes that have proved useful in rooting out bugs.
However, he said, many criminally-minded bug spotters might get more for what they find if they sell the knowledge on an underground market.
He added that the bug bounty scheme might be missing the biggest source of security problems on Facebook.
"They're specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like," he said. "It's those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people."
Facebook should consider setting up a "walled garden" that only allowed vetted applications from approved developers to connect to the social networking site, he said.
"Facebook claims there are over one million developers on the Facebook platform, so it's hardly surprising that the service is riddled with rogue apps and viral scams," he said.