Remember Google’s Chrome “Bug Bounty” program? Well, when Google released Google Chrome 12, it announced on its blog that it rewarded developers/researchers who found vulnerabilities (bugs) in its code. Earlier in August 2010, it was reported that Google gave away a total estimate of $10k of rewards. Mozilla too has the bug bounty program which pays $3,000 in hard cash plus a free Mozilla T-shirt for finding bugs!

Facebook has joined Google and Mozilla, and is following the “Bug Bounty” program, by rewarding its security researchers. However, the reward offered is way too less. For security related bugs – cross site scripting flaws, for example – the company will pay a base rate of $500, but if they’re highly significant flaws, Facebook has promised to pay more. However, the company executives haven’t revealed the bonus reward.

“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs,” Facebook stated on its portal.

Facebook launched a new Whitehat hacking portal where researchers can sign up for the program and report bugs. They have also published a list of about 42 researchers who have made “responsible disclosures” in the past.

With over 750 million active users, looks like Facebook is highly concerned about its security issues. Facebook hired a computer hacker who was recently sued by Sony for hacking the online gaming system PlayStation 3, last month

If a bug has been discovered, the researchers are asked to provide as much information as possible. In order to receive the award, a detailed explanation of steps is required and all legitimate reports will be investigated.

Here’s the company’s policy -

“If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.

Facebook’s Bug Bounty Eligibility Rules

In order to be eligible for the reward, researchers must follow to Facebook’s Responsible Disclosure Policy.