iOS app Android app More

Facebook Offers Cash To 'Bug Bounty Hunters' At DefCon Hacker Conference

Facebook Bug Bounty Security

First Posted: 08/06/11 01:42 PM ET Updated: 10/06/11 06:12 AM ET

LAS VEGAS -- At the DefCon hacker conference this weekend in Las Vegas, a team from Facebook has been making the rounds and delivering an unusual message: Please hack us. We'll pay you for it.

The team, led by Facebook's Chief Security Officer Joe Sullivan, is promoting the company's new "bug bounty program," which pays researchers to report security flaws in the social-networking site of more than 750 million active users.

Facebook will pay a minimum of $500 for valuable information so long as the hacker agrees to not disclose the flaw until the company has fixed it. Since the program was announced last week, Facebook has already paid out one bounty of more than $3,000, Sullivan said.

"It mobilizes a lot of great security experts all over the world who are passionate about security," Sullivan told The Huffington Post. "Hackers like to hack. We're basically saying, 'We want you to hack our site and we want you find things and we're happy to pay you.'"

To get paid, hackers must be the first to report the security flaw and must reside in a country not under U.S. sanctions. They must also adhere to the company's disclosure policy, which says researchers must make "a good faith effort" to avoid privacy violations, destruction of data and interrupting the site's service during research to avoid being sued or investigated by law enforcement.

Facebook is not the only company looking to pay hackers for security help. Earlier this week, Microsoft said it would offer up to $200,000 to researchers who design new security technologies. Google also offers from $500 to more than $3,000 to researchers who find security flaws.

Facebook Security Bounty
Joe Sullivan (left), Facebook's chief security officer, and Ryan McGeehan, Facebook's security manager for incident response, at the DefCon hacker conference in Las Vegas


Facebook has been on high alert to potential malware since the discovery more than two years ago of Koobface, a quickly-mutating computer worm that spread across the social networking site. The worm, which was created by criminal hackers, often disguised itself by inviting users to click on an entertaining video.

Sullivan said Facebook has a dedicated engineering team that builds tools to catch spammers on the site.

"It's a little bit of whack-a-mole, but they're so effective at it and that's why the vast majority of Facebook users have much less spam in their Facebook inbox than their email inbox," Sullivan said.

Earlier this week, Facebook celebrated a legal victory when Sanford Wallace, the self-proclaimed "Spam King," turned himself in to face charges he compromised about 500,000 Facebook accounts by sending large numbers of spam messages through the company's servers.

Facebook's bug bounty program is not the first time the company has asked for help from hackers. In June, the company hired George Hotz, the young hacker who gained notoriety in 2007 for "jailbreaking" Apple's iPhone, or getting around the phone's software controls.

Sullivan said DefCon is fertile recruiting ground for Facebook because the company is looking to hire people who live and breathe security.

"We try to only hire people who, when they're hanging out on Saturday night, are thinking about security," he said. "That's the people who are here right now and that's why we want to be there."

FOLLOW HUFFPOST TECH