Facebook has spent £25,000 rewarding independent hackers who have discovered security flaws in the social network.
Three weeks into the bug bounty programme, one security researcher is said to have picked up £4,300 for finding six serious flaws in the Web platform. The minimum rate paid for finding a bug is £300 ($500), with more for serious problems.
The initiative complements the work of Facebook’s internal bug-hunting team, who search for cyber-criminals attempting to extract personal information from site users, disseminate spam or promote fake goods.
“The programme has made our site more secure by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” said Facebook’s chief security officer, Joe Sullivan. “The bug bounty programme is a great way to engage with the security research community and a better way to improve security across a complex technological environment.”
Google and Mozilla have similar initiatives to reward those who report security flaws. However, Sophos’s senior technology consultant, Graham Cluley, said Facebook may be missing the biggest source of security problems.
“They’re specifically not going to reward people for identifying vulnerabilities in third-party apps, clickjacking scams and like,” he said. “It’s those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people.”