Meta is getting serious about its bug bounty program

Security Bug
(Image credit: Shutterstock)
Audio player loading…

Meta has announced a number of expansions to its bug bounty program (opens in new tab) as the company looks to crack down on data scraping as well as large unprotected data sets containing Facebook (opens in new tab) user information.

Over the past 10 years, the company's bug bounty program has grown from just Facebook's website to covering all of its web and mobile clients across all of its apps, services and companies including Instagram, WhatsApp, Quest, Workplace (opens in new tab) and more.

In fact, since 2011 Meta has paid out over $14m in bug bounties and received more than 150k reports of which 7,800+ were awarded a bounty. So far this year, the company has received around 25k reports and issued bounties on over 800 reports.

Meta designed its bug bounty program to remain agile from the beginning so that it could pivot in response to emerging risk areas as it did with platform abuse after Cambridge Analytica (opens in new tab) as well as with attacks targeting access tokens in 2018. Now the company plans to focus on expanding its bug bounty program to address new risk areas as well as creating new initiatives to recruit and retain security researchers.

Covering scraping and unprotected datasets

As scraping (opens in new tab) continues to be an internet-wide challenge for tech companies, Meta has announced in a new blog post that it will open up two new areas of research for its HackerPlus bug bounty community.

Beginning as a private bounty track for the company's Gold+ HackerPlus researchers, its bug bounty program will now reward reports about scraping bugs. The goal of this program is to find bugs that attackers are utilizing to bypass scraping limitations in order to access data at a greater scale than is intended in its products.

Meta aims to be able to quickly identify and counter scenarios that might make scraping less expensive to execute. It's worth noting that this is the the industry's first bug bounty program for scraping and hopefully, other tech giants will follow suit.

Additionally, Meta is expanding its data bounty program (opens in new tab) to reward reports of unprotected or openly public datasets (opens in new tab) containing at least 100,000 unique Facebook user records which include information such as users' emails, phone numbers, physical addresses, religion or political affiliation. However, the reported data set must be unique not previously known or reported to the company. 

At the same time, Meta will reward valid reports of scraped data sets in the form of charity donations to nonprofits of a researcher's choosing to ensure that the company is not incentivizing scraping activity.

We've also rounded up the best firewall (opens in new tab)best endpoint protection software (opens in new tab) and best malware removal software (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.