Updates to the Bug Bounty Program

August 29, 2011 at 11:50am

Today I am writing about one recent improvement, our bug bounty program, that in a short time has proven valuable beyond our expectations.

 

Why a Bug Bounty Program?

 

Websites like Facebook that sit on the open Internet and offer a set of robust services don’t come together overnight.  We hire the best and brightest, and have implemented numerous protocols, like our six-week intensive “boot-camp” and peer-reviewed code pushes, to ensure that only code that meets our rigorous standards is active on the site.

 

Even so, sometimes software code contains bugs. Generally speaking, there are bugs in software because of software complexity, programming errors, changes in requirements, errors made in bug tracking, limited documentation or bugs in software development tools.  To deal with this, we have entire teams dedicated to searching out and disabling bugs, and we also hire outside auditors to help test our code.  Our all night “bug-a-thons” are also successful in locating and fixing issues.

 

We realize, though, that there are many talented and well-intentioned security experts around the world who don’t work for Facebook. Over the years, we have received excellent support from independent researchers who have let us know about bugs they have found.  A couple of years ago, we decided to to formalize a “whitehat” program to encourage these researchers to look for bugs and report them to us.  We received really positive feedback when we launched our responsible disclosure policy last year, in which we told researchers we would not take adverse actions against them when they followed the policy in reporting bugs.  Here’s a post from the Electronic Frontier Foundation, which praised our approach.  As the EFF points out, “Well-meaning Internet users are often afraid to tell companies about security flaws they've found — they don't know whether they'll get...slapped with a lawsuit or even criminal prosecution.”  We worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information.  We are one of the first companies to clearly lay out our policy in order to make those who discover vulnerabilities more comfortable in reporting, and we are happy to see that other organizations are adopting a similar stance.  

 

A few weeks ago, we took that program to the next level--we started paying rewards to those who report bugs to us.  You can read about the details of the program here.  We established this bug bounty program in an effort to recognize and reward these individuals for their good work and encourage others to join.  

 

It has been fascinating to watch the roll-out of this program from inside Facebook.  First, it has been amazing to see how independent security talent around the world has mobilized to help.  We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security. The program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 for six different issues flagged.  It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring.

 

The program has also been great because it has made our site more secure--by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code.   

 

Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program. Perhaps because of this, there have been several inaccurate reports about how the program works.  For example, some stories said that the maximum payment would be $500, when in fact that is the minimum amount we will pay.  In fact, we’ve already paid a $5,000 bounty for one really good report.  On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity.  

 

Some have even asked that we extend the bounty program to the Facebook Platform (the applications and websites built and run by third parties that you can connect to your Facebook identity). Unfortunately, that’s just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform.  We have a dedicated Platform Operations team that scrutinizes these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications. People on our site agree that our protections, coupled with common sense, provide a rigorous level of security.

 

At the end of the day, we feel great knowing that we’ve launched another strong effort to help provide a secure experience on Facebook.  A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment.  Facebook truly does have the world’s best neighborhood watch program, and this program has proven that yet again for us.

 

Joe Sullivan, Facebook’s chief security officer, looks forward to reviewing your bug reports.