Facebook is working on setting up a bug bounty program that would encourage security researchers to discover vulnerabilities on its platform and report them responsibly.
Mr. Joe Sullivan, Facebook's chief security officer, told us today at the Hack in the Box Amsterdam 2011
security conference that the company is currently testing such a system and hopes to launch it soon.
Vulnerability reward programs are not new. In fact, they've been around since the Netscape era.
In 2004 Mozilla introduced a bug bounty system for vulnerabilities discovered in Firefox, then last year Google did the same
for Chromium, the open source project behind Google Chrome.
However, it was Google that began
rewarding vulnerabilities found in its web services first, a move that was mirrored
by Mozilla a month later.
Facebook has a pretty good relationship with security researchers already and many of them are reporting vulnerabilities to the company responsibly.
In fact, Facebook is one of the few companies that explicitly state in their official policies that as long as the vulnerability reporter doesn't exploit it to damage the system or compromise the data, it will not notify the authorities.
This might seem common sense to many and it is how most large vendors act in practice, but Facebook is one of the very few that have it in writing
Bug bounty programs are not only about rewarding researchers, which is an honorable thing to do, but also about drawing security attention towards a particular product or service.
Since more people will be interested to poke around it and uncover flaws, the system will become more and more secure over time and there will be less flaws for cyber criminals to find.
No details about the program's possible payouts or rules have been released, but we're hoping the rewards will at least match those offered by Mozilla and Google.Softpedia is an official media partner for HITBSecConf 2011 Amsterdam.