Facebook updated the terms of its third-party bug bounty service integration program to boost researchers ‘ rewards.
A year ago, Facebook revealed that it would pay for researchers who can detect security problems with Facebook access tokens in third-party applications that can be used to sign in.
Scientists have twice been awarded
Researchers can now expect Facebook to pay for security issues found by certified pen testing in third-party apps and websites as well.
Therefore, hunters can report their findings through third-party bug hunting programs and Facebook. Issues discovered by active analysis tend to be rewarded.
“To be eligible, we ask that researchers comply with the third-party’s vulnerability disclosure or bug bounty program before submitting their findings to Facebook” – Dan Gurfinkel, Security Engineering Manager
The change was designed to enhance Facebook user privacy and security, even when the flaws are not related to the software on Facebook. Another impact could be stronger partnerships with app developers.
“With this rise, we believe that not only can we improve the safety of Facebook users, but also the broader app developer ecosystem,” Gurfinkel said on Tuesday in a blog post.
There is no improvement in payout levels
The cost is determined by its effect and the terms of the bug bounty system. The minimum $500 payout still applies to valid reports, but the reward ceiling does not apply.
Last year, in over 700 legitimate cases, Facebook paid a $1.1 million bonus, rounding up the average payment at about $1,600. The reports received totalled approximately 17,800.
2018 also marked the year in which the organization raised the total bug-taking bonus to $40.000 when no user interaction is needed, and $25.000 when moderate user interaction is required.
With this recent change, Facebook strengthens researchers ‘ incentive to find errors and encourages them to concentrate on apps and websites that offer smaller rewards through bug bounty programmes.