Facebook late last month announced it would provide monetary awards for the private disclosure of certain flaws that may “compromise the integrity or privacy of Facebook user data.”
Since then, one researcher already has received more than $7,000 for reporting six different issues, Joe Sullivan, Facebook's chief security officer, wrote in a blog post Monday on the Facebook Security page. And while $500 is the minimum bug reward, the social media giant has furnished $5,000 for one “really good report."
Since launching the program, Facebook has heard from researchers in more than 16 countries. Though the issue of whether companies should provide incentives for the disclosure of security vulnerabilities has garnered debate among security professionals, Sullivan said Facebook's program has been more valuable than anticipated.
“It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring,” Sullivan wrote. “The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code.”
As a downside, however, Facebook has had to deal with fake reports from individuals who are just looking for notoriety, he added.
Also, while the program has largely been a success, it will not be extended to the Facebook Platform or third-party applications and websites.
Instead, the company will deal with threats on these programs by relying on tools to automatically detect and shut down malicious and spam-sending applications.
“We have a dedicated platform operations team that scrutinizes these partners and we frequently audit their security and privacy practices,” Sullivan wrote.