SOCIAL NETWORK Facebook has added its recent acquisition Oculus VR to its bug hunting bonus payout offer.
Facebook only pays out to individuals, it said, and its lowest bounty amount is $500. The actual payout award depends on the circumstances and, one would expect, the potential impact of the vulnerability.
Facebook paid some $2bn for Oculus VR, it might be safe to assume that the social network values its security just as highly as its own.
Since it launched its bug bounty programme Facebook has paid out a number of awards, including one for a flaw that affected account login, which it awarded a $20,000 reward. The Verge reports that last year Facebook parted with some $1.5m.
When Facebook launched the payout system it was criticised by a Sophos blogger for being slow to the party and cheap with its rewards. "Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that 'to show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs'," said Sophos' Paul Ducklin.
"There's been general approval of this step, though a few observers have claimed that Facebook's bounty is a bit on the cheap side."
Facebook's terms say that while bug finders will get only one reward per disclosure, it does not place any limit on the amount of each reward.
However, the firm is has been criticised for its payments so far, even when it paid out $20,000. Then bloggers reacted to the bounty with the suggestion that perhaps it was worth much more. "This issue is worthy [of a] million dollars," said one commenter.
We have asked Facebook to confirm that it has added Oculus VR to its white hat hackers posse programme. µ