Last year, the company began paying bounties for certain bugs researchers might find in third-party services that integrate with Facebook. It will now expand the types of bugs that are eligible, and even pay out for bugs that have also been directly submitted to another developer’s own bug bounty. Essentially, Facebook is willing to reward bugs that impact its platform even if a researcher has already gotten another payout elsewhere for finding it. The company is also adding bonuses from $1,000 to $15,000 if researchers find bugs in the fundamental code of its native products—like Messenger, Oculus, Portal, or WhatsApp—and then also submit additional materials, like showing how the bugs could actually be exploited in the wild. Before now, there wasn’t a specifically codified bonus structure if you went above and beyond in a submission, a practice Facebook wants to encourage.

“Reports submitted to us thanks to security researchers allow us to learn from their insights,” says Dan Gurfinkel, who heads Facebook’s bug bounty program. “And that allows us to catch more bugs in the future. Humans are always more creative than machines, so we want to see how they’re able to bypass our protections.”

In Facebook’s notorious data breach last year, for example, hackers abused a chain of three bugs that allowed them to grab account authentication tokens through the “View As” feature. Around the same time, Facebook disclosed and patched a critical WhatsApp bug submitted through its bounty program that exploited a flaw in the WhatsApp media gallery flow.

Facebook offers a minimum payout of $500 for accepted bugs, and no maximum—meaning that there’s no specific upper limit on how valuable a bug could potentially be. So far the largest payout from Facebook’s bounty is $50,000, while Apple will pay out up to $1 million for the most valuable iOS bugs.

It’s worth it to Facebook to get on top of the unintended potential data exposures that come from third-party integrations. Facebook previously only allowed bug hunters to submit findings about third parties that came from analyzing publicly available information without actively hacking those services. But now, Facebook will accept bugs discovered through active penetration testing, so long as the approach complies with the guidelines set out by the third party itself. The idea of potentially double-paying for bugs is unusual, but may give Facebook more insight into the type of bugs third-parties have and whether they’ve been fixed.

Source: https://ajuju.com.ng/2019/10/16/facebook-pays-hackers-to-fitch-out-security-bugs.html