At the Defcon hacker conference this week in Las Vegas, Facebook is not only recruiting new security experts, but is also spreading the word about bounties it's issuing — on its own bugs. "The internet is hostile, you have to assume that people are trying to break in," Facebook Security team member Fred Wolens told The Verge. Facebook has offered rewards to hackers before, and has even hired quite a few high-profile hackers, but never this formally.
While "bug bounties" for hackers previously covered bugs in Facebook product, bounties now cover Facebook servers and infrastructure as well. The company has already handed out over $400,000 in bounties thus far, with each bounty reward ranging between $500 (the minimum) and $10,000 for a critical vulnerability. "We push daily," a Facebook Security's Alex Rice said, "so we can hot fix something any time of the day. A bug fix could take an hour to fix for all of our users worldwide." On its earnings call yesterday, Facebook announced that it had nearly a billion monthly users. "We can turn around fixes so quickly, and that's something most companies aren't capable of doing. That minimizes the possibility of a bug getting exploited," he said.
"We can turn around fixes so quickly, and that's something most companies aren't capable of doing."
Facebook has thus far handed out bounties to over 150 researchers in 30 countries, with 50 of those researchers coming back for seconds or thirds. Most of the researchers come from the US, but the amount of researchers coming from India is growing fast, as are numbers from Russia, Germany, the UK, Poland, and Turkey. One of the most prolific researchers Facebook identified, Neal Poole, was brought on as an intern at the company. "It's an equation on how well we work with the researcher," said Wolens. "If they're communicating well with us and explaining risks and what they've found, we offer more." Facebook doesn't offer bounties for vulnerabilities relating to denial of service, spamming techniques, third party app vulnerabilities, or third party site vulnerabilities with Facebook integration.
The company hopes that by continually cultivating relationships with the web development and white hat hacking communities, it can delicately respond to bugs like other large companies haven't — and also reward those who help out with money and protection. "Our goal is to create the safest possible environment," Wolens said. "Engaging with the broader security community can only help us."
For more on Facebook Security, check out: With hacker attacks on the rise, Facebook Connect emerges as security solution