This week Facebook expanded their bug bounty program that has been running since 2011 and has payed out more than $6 million in that time. Facebook will now accept reports about vulnerabilities in third-party apps and services that connect to Facebook user accounts in addition to reports related to its own products.
The focus of the expansion will center on apps and websites that involve improper exposure of Facebook user access tokens. These are uniquely generated credentials that allow users to log into an app using their Facebook accounts. Since users can decide what information can be accessed by the token and app, the token can be exploited by any bad actors. This year has seen Facebook involved in a number of controversies that have seen personal data for millions of its users to be leaked. The bug bounty expansion marks the latest step by the social giant to stand by its declaration to do more to protect its users’ data.
The post from Facebook noted that reports will only be accepted so long as the bug is discovered by passively viewing the data and noticing if there is any data being sent improperly to or from the device. Dan Gurfinkel, Security Engineering Manager at Facebook wrote that “You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report.”
Facebook is offering a minimum of $500 for accepting bugs per vulnerable app or website. The reward amount issued will be based on the impact and severity of each report.
Bug bounties are common in the API space with major players such as Google, Apple, Uber and Fitbit offering rewards for finding vulnerabilities. These programs are important ways for the companies to use their developer audience to track bugs and improve the security of their applications and products. Facebook states however, that their bug bounty program is not meant to be a replacement for app developers’ obligation to “maintain appropriate technical and organizational measures to protect personal data — either regulatory obligations (for example, if the app developer is a data controller for the purposes of GDPR) or the rigorous controls we require through our terms of service and policies.”