Facebook is one of the largest destinations on the internet, boasting more than a half-billion users from all over the world. It’s a multibillion dollar company, with an enormous team of dedicated specialists that code and test the site to make sure it functions properly. Despite that, Facebook is willing to pay anyone, almost anywhere, for finding a security flaw on the site and reporting it to them.
The “bug bounty” program was setup by Facebook as a reward for users so that bugs could be reported instead of exploited. The premise is simple – if a bug that can be used to exploit a security flaw on Facebook is reported to the security team, they will pay the person that found the bug a minimum of $500. There is no upper limit, and so far they’ve paid out as much as $20,000 for a single bug. More than 300 bug bounties have been collected so far, and some individuals have made more than $100,000 in total.
Not all bugs are eligible for a bounty. Facebook is careful to state that only bugs that specifically affect site security can be claimed, and they only pay the bounty to the first user to report it. Users are expected to make a test account to attempt to replicate the bug (one of the few reasons Facebook accepts for having multiple accounts), unless a new account won’t have the functionality to produce the results. Anyone that finds the bug is eligible to receive a bounty, with the exception of people that live in countries currently under economic sanctions from the United States, like Libya or North Korea.
On Facebook’s blog, the security team offers an example of the kind of bug they’re looking for. At one time, Facebook groups had a security flaw. If the group lost all of its members except one, and that member was not a group admin, Facebook would automatically offer them the abilities of admin. However, the group could not recognize when a member had other members blocked. This meant that someone could block every member of a group they were in, and the site would offer them full administrative privileges even if the group wasn’t actually empty. This bug has since been found and dealt with, but the security team states that if the same bug was found today, they would pay a bug bounty of at least $10,000 for the information.
The bug bounty program is known as whitehat, a reference to the hacking community. White hat hackers are the name given to the “good guys” of the hacking world, computer experts that put their knowledge to work so help find and fix problems before they cause any damage. In the early days of the internet, white hat hackers were responsible with helping to develop many of the security protocols that are standard today, and Facebook intends that their work continue to be a boon to everyone.
As more people learn about the bug bounty, it becomes more difficult to cash in on one. However, Facebook is a constantly evolving system, and with every new design change comes a whole host of new design flaws. With a little expertise and dedication, those new flaws could turn into a great way for a casual white hat hacker to make some extra money.