Facebook introduced the "Data Abuse Bounty" program as a reward system last year, which anyone that reports valid incidence of its apps collecting users' data in violation of its data policies, gets a price reward.

But given its vast ecosystem with millions of third-party apps, only a few of the developers have implemented a vulnerability disclosure program, thereby making them unable to offer bug bounty rewards to security researchers for responsibly reporting bugs in the apps, which in turn has limited the program.

Now, Facebook in a move to encourage the developers of third-party apps to take security more serious by setting up a vulnerability disclosure program, has expanded the program to include third-party apps and to pay security researchers for disclosing bugs in third-party apps.

Facebook's earlier expansion of the bounty program for third-party apps was only valid on submissions for exposure of Facebook users' tokens that compromises the login details for a third-party app using Facebook.

The expansion now include all third-party apps on its ecosystem, and requires that all such third-party app developers should set up vulnerability disclosure policy to help the researchers to be eligible for rewards when bugs are found in their code and claim it from Facebook.

While the scope is to reward valid bug reports in third-party apps or websites that directly integrate with Facebook if the bugs are discovered through pen-testing authorized by the third-party rather than just passively observing the vulnerability.

Facebook promises to issue rewards based on the validity of bugs reported and some other factors which are indicated in their terms, with minimum reward of $500 Bounty.

Facebook to pay Security Researchers for disclosing Bugs in Third-party apps



Facebook introduced the "Data Abuse Bounty" program as a reward system last year, which anyone that reports valid incidence of its apps collecting users' data in violation of its data policies, gets a price reward.

But given its vast ecosystem with millions of third-party apps, only a few of the developers have implemented a vulnerability disclosure program, thereby making them unable to offer bug bounty rewards to security researchers for responsibly reporting bugs in the apps, which in turn has limited the program.

Now, Facebook in a move to encourage the developers of third-party apps to take security more serious by setting up a vulnerability disclosure program, has expanded the program to include third-party apps and to pay security researchers for disclosing bugs in third-party apps.

Facebook's earlier expansion of the bounty program for third-party apps was only valid on submissions for exposure of Facebook users' tokens that compromises the login details for a third-party app using Facebook.

The expansion now include all third-party apps on its ecosystem, and requires that all such third-party app developers should set up vulnerability disclosure policy to help the researchers to be eligible for rewards when bugs are found in their code and claim it from Facebook.

While the scope is to reward valid bug reports in third-party apps or websites that directly integrate with Facebook if the bugs are discovered through pen-testing authorized by the third-party rather than just passively observing the vulnerability.

Facebook promises to issue rewards based on the validity of bugs reported and some other factors which are indicated in their terms, with minimum reward of $500 Bounty.

No comments