After Google and Mozilla, Facebook will now pay cash rewards to researchers who privately report vulnerabilities that could expose the privacy or security of the Facebook users.
Facebook will pay $500 for the discovery of most website flaws, such as XSS, or cross-site scripting errors. For some specific bugs, the company may pay more and to qualify for the reward, the reporter must be the first person to privately report the bug and he must reside in a country which is not under any current US sanctions.
This news has come as a good one for many of the researchers who spend considerable time and expertise finding and reporting serious vulnerabilities in the websites and softwares. Most of the software manufacturer companies including Microsoft and Oracle refuse to pay the private bug reporters, although they know the benefit from such initiatives.
The first software maker to offer a reward for bug reporting was Mozilla; years ago they began offering $500 rewards for reporting bugs. Later, Google followed them and started to pay their bug reporters. One of the Google spokesmen said, “We’re very happy with the success of our vulnerability reward program so far.”
In order to qualify for the cash rewards, the researchers have to privately report the company and the company will take a reasonable time to respond before publicly disclosing the flaws. Denial-of-service vulnerabilities, spam, social engineering techniques, bugs in third-party apps, websites and in Facebook’s corporate infrastructure don’t qualify.