Charting the Future of our Bug Bounty Program

By Dan Gurfinkel, Security Engineering Manager

As we approach the end of the year, we wanted to take a minute to thank our bug bounty community for their great research and everyone who contributed to the growth of our program. As you may know, this year we celebrated our tenth anniversary. At its launch, I don’t think anyone could have foreseen the way our program would evolve and become an integral part of our broader security strategy. And I’m sure that’s true not just for us, but for many of our peers in the tech industry.

Since 2011, we’ve paid out more than $14 million in bug bounties and received over 150K reports, of which over 7,800 were awarded a bounty. So far this year, we’ve awarded over $2.3 million to researchers from more than 46 countries.

As we look toward the future of our program, we’re focused on expanding it to address new risk areas and launching new initiatives to recruit and retain researchers.

New expansions to cover scraping

As scraping continues to be an internet-wide challenge, we’re excited to open up two new areas of research for our bug bounty community.

Starting as a private bounty track for our Gold+ HackerPlus researchers, our bug bounty program will now reward reports about scraping bugs. The goal of this program is to find bugs that attackers utilize to bypass scraping limitations to access data at greater scale than the product intended. To our knowledge, this is the industry’s first bug bounty program for scraping.

In addition, we are expanding our data bounty program to reward reports of unprotected data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address, religious, or political affiliation. The reported data set must be unique and not previously known or reported to Meta. We will reward valid reports of scraped data sets in the form of charity donations to nonprofits of our researchers’ choosing, to ensure that we are not incentivizing scraping activity.

More info on this expansion can be found here: https://about.fb.com/news/2021/12/expanding-bug-bounty-program-to-address-scraping/

Recruiting and retaining researchers

Our program wouldn’t be successful without the external researcher community. We know that bug bounty researchers are in high demand, and want to make sure that our program remains rewarding. Some of our longtime researchers have told us that they are interested in more educational opportunities to expand the surfaces and products they can hunt on — especially as certain bug areas are notoriously difficult to transition between, for example from software to hardware bug hunting. In addition to our annual BountyCon conference (which, pending travel restrictions, will take place in May in Singapore and will be co-hosted with Google), we will be launching a dedicated education center in the coming weeks to help researchers learn how to hunt on different products and technologies.

We also feel it’s important that we help usher in future generations of bug hunters. In February, we’ll host our first BountyConEDU, a conference in Madrid for university students from all over Europe. This three-day conference will allow them to learn more about bug bounties and how to hunt for bugs, as well as to form teams to test Meta products for valid vulnerabilities.

More info on this work can be found here: https://engineering.fb.com/2021/12/15/security/bug-bounty-scraping/

Thank you again for a great year! As always, we appreciate feedback on how we can make our collaboration even more effective. We look forward to our continued work together to keep our platform secure!