Facebook offers a $500 bounty to bug hunters

SOCIAL NETWORKING MONSTER Facebook has started a bug finding reward programme that it expects will help cut down on security attacks on its systems.

The move has been criticised by the security firm Sophos, which - to our applause - seems to react to every move from Facebook by reaching for its revolver.

"Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that 'to show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs'," writes Sophos' Paul Ducklin.

"There's been general approval of this step, though a few observers have claimed that Facebook's bounty is a bit on the cheap side."

Ducklin, who is saving his criticism for later, said that while the firm has been criticised for this low reward, it is actually in line with payouts from other firms, including Google. He explains, however, that Google's sliding reward scale starts at the same figure.

However, how cheap or not Facebook is being is not up for debate here. What is though, is how the firm is going about offering its rewards and how it is treating its bounty hunters.

Ducklin, it seems, would like it if Facebook paid out the money every time someone had a problem with its security in general, something that he suggests could make individuals a lot of money.

"The bad news is that Facebook is only interested in security reports to do with explicit web coding flaws, such as XSS (cross-site scripting) bugs or code injection faults," he added.

"Bugs or shortcomings in the company's general attitude to security don't count. Sadly, that means you can't grab yourself a quick $1500 by simply sending in Naked Security's Three Simple Steps To Better Facebook Security."

Sophos also criticised Facebook for not offering bounties on problems with third-party applications, something that it has been known to complain about in the past.

Ducklin has taken offence at something else, too - the bully boy tactics hidden in Facebook's responsible disclosure doctrine.

The wording here, "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," is chilling according to the Sophos blogger, and we cannot help but agree with him.

"Facebook, please change both your sentiment and your wording! You're entitled to bring a lawsuit against anyone you think you have a case against, and you're entitled (some would say morally obliged) to call in law enforcement whenever you think you've got a crime to report," he added.

"If you want to wave around the threat of lawsuits and of calling the cops, why not do so against the huge number of scammers who already plague your social network? Please don't write what sounds eerily close to a threat to the very security researchers you want to get working on your behalf!"

Facebook, an iron fist in a velvet glove that holds the majority of your personal information, photos, location data, and data relating to your friends and family. Don't you just love it? µ