Facebook has paid out $40,000 to independent hackers for spotting flaws in its website, three weeks after launching its “bug bounty” scheme.
The social networking company takes a “neighbourhood watch” approach of welcoming criticism from external security experts rather than punishing it.
“We realise … that there are many talented and well-intentioned security experts around the world who don’t work for Facebook,” wrote Joe Sullivan, Facebook’s chief security officer, on the company’s blog on Monday evening. “We established this bug bounty program in an effort to recognise and reward these individuals for their good work and encourage others to join.”
Google, the search company, and Mozilla, the group which develops the Firefox web browser, also offer payment to outsiders who spot vulnerabilities in their software.
Hewlett-Packard’s TippingPoint security unit runs a “Zero Day Initiative” – named after a programming flaw which is exploited by attackers before the system’s owner is aware it even exists – which pays for tips about other companies’ software, for both the original owner and to improve HP’s own security products.
A site as large, complex and fast-growing as Facebook or Google will often contain flaws in its coding that malicious parties may be able to exploit, potentially putting users’ data at risk.
As the recent spate of hacking from “hacktivists” such as LulzSec and Anonymous and the state-sponsored intrusions highlighted by McAfee’s security survey last month, no company is safe from such attacks – or the associated bad publicity.
Schemes such as Facebook’s illustrate the push towards greater disclosure of security weaknesses and hacking incidents, as the technology industry strives to pool its resources to protect itself better. The approach has won praise from digital advocacy groups such as the Electronic Frontier Foundation.
Facebook said that it has paid one individual $7,000 for spotting six issues with its site and $5,000 for one particularly egregious flaw, although the company admits that it has also had timewasting reports from people “just looking for publicity”.
“The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” Mr Sullivan said.
Technology firms aim to give responsible informing of problems the same prominent recognition as hacking into a site, which is often done as much for the glory as any financial gain.
Facebook’s “whitehat” site – using a geek term borrowed from old Western cowboy movies to denote a “good guy” hacker – names around 50 individuals who have spotted flaws.
It also promises legal protection to these whitehat hackers who may have had to break the law to identify a problem.
“If you give us a reasonable time to respond to your report before making any information public and make a good-faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” Facebook says.