Facebook pays for security loopholes

Smashed window, Getty Facebook has paid $5000 to those who found the biggest security holes in its site

Related Stories

Facebook has spent $40,000 (£25,000) in the first 21 days of a program that rewards the discovery of security bugs.

The bug bounty program aims to encourage security researchers to help harden Facebook against attack.

One security researcher has been rewarded with more than $7,000 for finding six serious bugs in the social networking site.

The program runs alongside Facebook's efforts to police the code it creates that keeps the social site running.

A blog post by Facebook chief security officer Joe Sullivan revealed some information about the early days of the bug bounty program.

He said the program had made Facebook more secure by introducing the networking site to "novel attack vectors, and helping us improve lots of corners in our code".

The minimum amount paid for a bug is $500, said Mr Sullivan, up to a maximum of $5000 for the most serious loopholes. The maximum bounty has already been paid once, he said.

Many cyber criminals and vandals have targeted Facebook in many different ways to extract useful information from people, promote spam or fake goods.

Start Quote

It's hardly surprising that the service is riddled with rogue apps and viral scams”

End Quote Graham Cluley Sophos

Mr Sullivan said Facebook had internal bug-hunting teams, used external auditors to vet its code and ran "bug-a-thons" to hunt out mistakes but it regularly received reports about glitches from independent security researchers.

Facebook set up a system to handle these reports in 2010 which promised not to take legal action against those that find bugs and gave it chance to assess them.

Paying those that report problems was the logical next step for the disclosure system, he said.

Graham Cluley, senior technology consultant at Sophos, said many other firms, including Google and Mozilla, run similar schemes that have proved useful in rooting out bugs.

However, he said, many criminally-minded bug spotters might get more for what they find if they sell the knowledge on an underground market.

He added that the bug bounty scheme might be missing the biggest source of security problems on Facebook.

"They're specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like," he said. "It's those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people."

Facebook should consider setting up a "walled garden" that only allowed vetted applications from approved developers to connect to the social networking site, he said.

"Facebook claims there are over one million developers on the Facebook platform, so it's hardly surprising that the service is riddled with rogue apps and viral scams," he said.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

Elsewhere on the BBC

  • Child museumChild's play

    Should children be allowed to run wild in museums? BBC Culture investigates

Programmes

  • A map of social media interactionsClick Watch

    Twitter's map of the Middle East conflict – how the two sides react to each other on social media

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.