Meta, the recently rebranded corporate parent of Facebook, announced it will expand its bug bounties program to include data-scraping bugs and scraped databases found online.
"We know that automated activity designed to scrape people’s public and private data targets every website or service. We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform," wrote Dan Gurfinkel, Meta security engineering manager in a blog post announcing the policy change.
The program to discover data-scraping bugs will initially be a private offering for registered hackers at "gold" tier or higher. These are hackers who have found at least five valid bugs with a low incidence of low-quality submissions. The program to find data sets has no such restrictions. Bounties will start at $500 per discovery, with a matching program for any bounties donated to charity.
Facebook has faced bulk scraping incidents in the past. The site acknowledged in April that 533 million users' phone numbers had been improperly scraped because of a glitch that caused the platform to improperly record privacy settings. In 2018, data-harvesting group Cambridge Analytica stole data from more than 80 million accounts against Facebook's terms of service.
In the aftermath of the April incident, a public relations representative for the site accidentally emailed internal strategic messaging to a Belgian reporter expressing some of the difficulty in handling bulk scraping on large platforms.
"Longer term, though, we expect more scraping incidents and think it's important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly," the representative wrote.
In a second blog post, Meta also announced it would invest in additional bug bounty educational opportunities, including a new conference — BountyConEDU — to be held in Madrid in February for European students. The company already hosts a professional conference, BountyCon.
