ID: IRCNE2011071197
Date: 2011-07-30
"ZDNet" reports that as facebook struggles to cope with a surge in malicious hacker attacks against its massive user base, it has joined a growing list of companies offering cash to hackers who responsibly report security vulnerabilities found on its web site.
With the new Security Bug Bounty program, Facebook plans to shell out $500 for security bugs “that could compromise the integrity or privacy of Facebook user data.”
The following types of vulnerabilities could qualify for the bounty:
· Cross-Site Request Forgery (CSRF/XSRF)
· Cross-Site Scripting (XSS)
· Remote Code Injection
Facebook users are inundated with malicious attacks that exploit clickjacking/likejacking, cross-site scripting, CSRF and other Web-app vulnerabilities and the company hopes the new bug bounty program will help improve the quality of its code.
To qualify for a Facebook cash reward, security researches must adhere to the company’s Responsible Disclosure Policy and agree to give Facebook ”reasonable time to respond” before making any information public.
According to "CNET", meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users.
Although a typical bounty is set at $500, Facebook says it may increase the reward for specific, high-impact vulnerabilities.
The following bugs aren’t eligible for a bounty:
- Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook’s corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
Mozilla, Google and Barracuda Networks are among companies offering cash rewards for security holes in software products and Web sites.
- 3