Charting the way forward for our bug bounty program
- We are addressing the industry-wide scraping problem by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected records. To the best of our knowledge, this is an industry first.
- With a view to the future, we are also launching new educational opportunities for researchers and holding our first one BountyConEDU – a three day conference for university students from across Europe who want to learn more about the industry.
- Since we started our bug bounty program in 2011, we have received more than 150,000 reports, of which over 7,800 have received a bonus.
Over the past 10 years, our bug bounty program has moved from just working with the Facebook website to all of our web and mobile clients in all of our apps, including Instagram, WhatsApp, Quest, Workplace, and more. As we build for the future, we’re expanding the program to tackle the industry-wide problem of scratching and give researchers more opportunities.
Here are some highlights from the last decade:
- Since 2011, we have paid out more than $ 14 million in bug rewards and received more than 150,000 reports, of which over 7,800 received rewards.
- We paid out more than $ 250,000 Hacker More Bonuses since this program started in 2020.
- So far this year, we’ve given out over $ 2.3 million to researchers from more than 46 countries.
- This year alone, we received a total of around 25,000 reports and issued bonuses for over 800 reports.
- Since 2011 we have received the most informative reports from India, the US and Nepal.
We knew from the start that our program had to remain agile in order to be able to react to new areas of risk. For example, to combat platform abuse cases according to Cambridge Analytica, we launched the industry’s first Data abuse bounty program, which rewards researchers who report abuse of Facebook data by app developers. To an attack from 2018 We launched the industry’s first bug bounty for these targeted access tokens, for which we Third party apps and websites to reward researchers who find vulnerabilities involving abuse of Facebook user data.
Looking ahead to the future of our program, we are focused on expanding it to address new areas of risk and launching new researcher recruitment and retention initiatives.
New extensions to cover the scraping
As scraping continues to be an internet-wide challenge, we are excited to open two new research areas to our bug bounty community. While we are only part of the bigger puzzle when it comes to combating scraping efforts, we believe the bug bounty community is an important element of our own work.
Starting as a private bounty track for our Gold + HackerPlus For researchers, our bug bounty program will now reward reports of bug scraping. The goal of this program is to find bugs that would allow attackers to bypass scraping restrictions in order to gain access to data beyond the intended purpose of the product. Our goal is to quickly identify and counter scenarios that could make scraping less costly. To the best of our knowledge, this is the industry’s first bug bounty program for scraping.
In addition, we are expanding our data rewards program to reward reports of unprotected or publicly available records that contain at least 100,000 unique Facebook user records that contain information such as email, phone number, address, religious or political affiliation. The reported data record must be unique and must neither be known beforehand nor reported to Meta. If the report is valid, we will endeavor with the appropriate authority to remove the record or consider legal means to resolve the issue. We reward valid reports of scraped records in the form of charitable donations to nonprofits at the discretion of our researchers to ensure we are not incentivizing scraping activities. More information about this extension.
Recruit and retain researchers
Our program would not be successful without the external research community. We know bug bounty researchers are in high demand and want to make sure our program stays rewarding. However, we also know that troubleshooting can be a transitory career path with researchers sometimes switching in and out of programs. For this reason, we also want to contribute to arousing the interest of new and existing researchers in a more sustainable manner.
Educational opportunities
Some of our longtime researchers have told us that they are interested in more educational opportunities to expand the surfaces and products they can hunt on – especially since the transition between certain areas of failure is notoriously difficult, such as from software to hardware – troubleshooting.
We designed our annual BountyCon conference to include sessions hosted by. be directed our top researchers. In these sessions they discuss practical techniques and approaches for discovering and reporting critical vulnerabilities on various surfaces so that other researchers can learn. Next year, subject to travel restrictions, the conference will take place in Singapore in May and is being co-hosted with Google.
At BountyCon, we found that researchers who jointly submitted bugs not only found bugs with greater impact, but also learned from each other about their different areas of focus. To support this kind of teamwork and learning, this year will We have released a collaboration feature for researchers who would like to submit joint reports on our program.
Later this year we will also set up a dedicated training center to help bug bounty researchers quickly get up to speed on various products and technologies so they can reduce the time it takes to look for new areas for bugs.
Support for the next generation of bug hunters
In addition to engaging the researchers currently participating in our program, it is also important that we introduce future generations of bug hunters. We host in February our first BountyConEDU, a conference in Madrid for university students from all over Europe. This three-day conference enables them to learn more about bug bounties and the search for bugs, as well as to form teams to test meta-products for valid vulnerabilities. We are excited to learn our lessons from this event to find ways in which we can create similar learning opportunities around the world.
We’d like to thank our bug bounty community for their great research and everyone who contributed to it to grow our program. As always, we look forward to feedback on how we can make our cooperation even more effective. We look forward to our continued cooperation to ensure the security of our platform!
Comments are closed.