Facebook's Reward for Bug Hunters
Tal Be’ery was happy helping Facebook fight hackers for free. In 2010, when the computer security professional was looking into how identity thieves, spammers, and other con artists used fake Facebook profiles to mount scams, he discovered a flaw that put new users’ passwords at risk of interception.
So Be’ery did what ethical hackers are supposed to do: He ignored the payday he undoubtedly could get from selling the information to criminals and alerted Facebook, which quickly fixed the problem. In recognition, the world’s biggest social media company added Be’ery’s name to a public list of researchers who have responsibly disclosed Facebook bugs.
At the time, that was reward enough for the Tel Aviv resident. Today the 32-year-old wishes he had something more tangible to show for his diligence—namely one of the debit cards Facebook began handing out to bug catchers in July. The Visa-branded cards are loaded with as little as $500 or as much as $5,000—amounts vary depending on the severity of the bug. More important, the shiny black cards are brimming with geek cachet. There’s a whiff of exclusivity about them: Think American Express’s by-invitation-only Centurion cards, which are also ebony. “That would be so great to get that,” says Be’ery. “To tell your grandchildren, ‘Papa was a hacker once.’ Just for the symbolic value.”
The cheeky conceit behind Facebook’s debit cards underlines a serious issue. Technology companies are torn about how to engage with application developers or security researchers who spot bugs in the course of their professional work or hobbies. Many businesses ignore unsolicited tips from so-called white-hat hackers. Some even threaten them with legal action. Criminals, governments, and sketchy middlemen are willing to pay top dollar for the nastiest bugs—experts say black market prices can go as high as $1 million.
Apple doesn’t buy information about bugs. Neither does Microsoft, though it is running a $250,000 contest to develop a specific type of security technology. Google started paying for bug detection in 2010 and has handed out more than $700,000, according to the company.
Facebook’s six-month-old bug bounty program has already distributed $190,000 in debit cards to 93 researchers, says Joe Sullivan, Facebook’s chief security officer. The most anyone has collected is $24,000.
Neal Poole, a junior at Brown University, has been paid for 15 Facebook bugs he’s discovered. Though he won’t say how much he’s made, the 22-year-old acknowledges that bug-hunting has become a nice part-time job. Poole says he’s also participated in bounty programs run by Google and Mozilla, maker of the Firefox browser. “The money changes the incentive, but even without the money, I had participated in the past and probably would have in the future,” says the computer science major.
The black debit cards are “a cool little incentive” that have the additional benefit of making his friends envious, according to Poole. “It’s a gimmick, but so are the T-shirts and hats and things” that other companies use to reward tipsters, he says. Poole’s sleuthing helped net him another prize: a summer internship on Facebook’s security team.
Facebook’s Sullivan says the bounty program has been a good investment. The company was getting about two vulnerability disclosures per week before it launched. Now it’s up to eight or nine. Says Sullivan: “$190,000 sounds like a lot, but in the context of our work it’s a drop in the bucket.”
Still, the concept of incentivizing bug hunters with monetary rewards remains controversial in some quarters of the industry. “We absolutely value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vulnerability bounty is the best way,” Microsoft said in a statement.
For professionals and hobbyists alike, there is no shortage of targets. IBM’s X-Force security unit says that worldwide, more than 7,000 vulnerabilities are disclosed per year. The actual number is probably higher, because not all discoveries are made public. Social networking sites such as Facebook are particularly vulnerable because of the amount of unfiltered content that users post themselves.
With its black plastic, Facebook has won over hobbyist hackers such as Hanford Lemoore. “I want one of those debit cards!” writes Lemoore in an e-mail. The San Francisco game designer earned an honorable mention from Facebook for alerting the company to a bug. But that was before Facebook instituted the bounty program. “It’s a novel reward,” says Lemoore. “I don’t think there’s any real value to it other than a neat badge of pride to show other tech friends. Well, that, and the cash on it.”