Facebook is now seemingly taking additional steps to ensuring a secure online environment. But, this time, it has expressed plans to work in a much broader manner. Recently, it announced another expansion to its bug bounty program by including third-party websites and apps that integrate with Facebook.
Facebook Bug Bounty To Include Integrating Third-Party Sites And Apps
Last year, Facebook made an expansion in its bug bounty program to include third-party websites and apps. However, that expansion only applied for bugs which, in any way, led to an exposure of access tokens.
But now, it has further increased the scope of its bug bounty program. As announced via a recent post by Facebook’s Security Engineering Manager, Dan Gurfinkel, the program will now cover all third-party sites and apps integrating with Facebook.
With this attempt, Facebook strives to contain flaws unrelated to its codes but impacting the integrity of its users’ data. Also, Facebook believes this move will facilitate the researches in earning more bounties. They would now earn for reporting bugs in websites that otherwise don’t offer notable incentives or fail to gain attention.
Changes In Bugs Qualifying For Bounty
Previously, Facebook only allowed the bugs to qualify for a bounty which researchers discover by “passively viewing the data sent to or from the device while using the vulnerable app or website”.
Whereas, it now allows the researchers to report bugs discovered by active pentesting as well.
We are expanding the scope of this program to reward valid bug reports in third-party apps and websites that integrate with Facebook when they are found through active pen-testing authorized by the third-party rather than just by passively observing the vulnerability.
However, it recommends the researchers to comply with the corresponding site’s or app’s vulnerability disclosure. As explicitly stated in the updated terms and conditions,
Facebook’s Bug Bounty Terms do not provide any authorization allowing you to test an app or website controlled by a third-party. Please only share details of a vulnerability if permitted to do so under the third party’s applicable policy or program.
Specifically, under this program, the researchers must include a proof of authorization from the third-party app or website with their reports.
Even after the changes, the minimum reward remains to be $500, with no upward cap.
Certainly, with a broader scope of work, the new bounty program will be quite enticing for the bug bounty hunters to make money while securing the internet community.