Facebook was a relatively early proponent of so-called bug bounties, paying out more than $6 million to security researchers who have spotted vulnerabilities in its platform since its program launched in 2011. But as the social network has faced a series of high profile and impactful controversies[1], its bug bounty increasingly doubles as an opportunity for Facebook to demonstrate maturation. That trend continues Monday, with the company's latest expansion.
Facebook will now accept reports about not just about vulnerabilities in its own products, but in third-party apps and services that connect to Facebook user accounts. Third-party interactions create user risk on the social network, since Facebook vets but doesn't develop the outside apps and can't ensure their integrity as thoroughly as it can its own platform. Users are also responsible for managing the permissions of third-party apps, which can be a confusing and opaque process.
The bounty expansion will specifically focus on third-party bugs that relate to exposure of "user access tokens," the credential that allows apps to interface with Facebook accounts, and that could be exploited to gain inappropriate types of access. For example, researchers have found[2] things like personality quiz services, and JavaScript components in apps, that invasively track user data or pilfer information.
"This is part of our ongoing efforts to improve the security and privacy of people who use Facebook," Dan Gurfinkel, security engineering manager at Facebook, wrote in a blog post[3] announcing the incentive Monday. "We want researchers to have a clear channel to report these important issues when they find them, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."
In April, as the Cambridge Analytica data misuse