Facebook, like many other developers, has been offering a reward system for anyone that finds security holes in their website. What are these rewards? Cold, hard cash. Or more likely a Bank transfer or paypal payment; but still, it’s money.
In just the first 21 days after launching the program Facebook has purportedly paid out over £25,000 to anonymous sources for their hard work; though this is of course a drop in the bucket for the social networking site. As it stands the site pays out $500 for smaller flaws that are discovered, with the largest ones garnering a more impressive $5,000 bounty. The larger ammount has already been paid out twice according to the Facebook blog.
Offering freelance hackers cash based payouts for discovering security holes is a wet dream for many a home brew security specialist and it helps harden up the defences of sites and software as it brings in many more people who are able to test out a wider array of features. However, it also brings onboard people that could have done it merely for fun, perhaps exploiting the bugs for their own gains. Now those few will receive a payout as opposed to doing something nefarious.
However, some claim that Facebook isn’t going far enough with its bounty scheme. “They’re specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like,” Graham Cluley, senior technology consultant at Sophos. “It’s those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people.”
Facebook currently employs an internal team of testers, as well as an external one. With the home users now coming onboard, it seems likely that the social networking site will be shoring up its defences quite well. Whether this will help prevent privacy invasions is another thing, as Facebook have been guilty of pushing a “see-all” approach to everyone’s profiles and information for years.