Huffpost Technology
Gerry Smith Headshot

Facebook Offers Cash To 'Bug Bounty Hunters' At DefCon Hacker Conference

Posted: Updated:
FACEBOOK SECURITY BOUNTY
Facebook has launched a new “bug bounty program,” which pays researchers to report security flaws in the social-networking site | Gerry Smith

LAS VEGAS -- At the DefCon hacker conference this weekend in Las Vegas, a team from Facebook has been making the rounds and delivering an unusual message: Please hack us. We'll pay you for it.

The team, led by Facebook's Chief Security Officer Joe Sullivan, is promoting the company's new "bug bounty program," which pays researchers to report security flaws in the social-networking site of more than 750 million active users.

Facebook will pay a minimum of $500 for valuable information so long as the hacker agrees to not disclose the flaw until the company has fixed it. Since the program was announced last week, Facebook has already paid out one bounty of more than $3,000, Sullivan said.

"It mobilizes a lot of great security experts all over the world who are passionate about security," Sullivan told The Huffington Post. "Hackers like to hack. We're basically saying, 'We want you to hack our site and we want you find things and we're happy to pay you.'"

To get paid, hackers must be the first to report the security flaw and must reside in a country not under U.S. sanctions. They must also adhere to the company's disclosure policy, which says researchers must make "a good faith effort" to avoid privacy violations, destruction of data and interrupting the site's service during research to avoid being sued or investigated by law enforcement.

Facebook is not the only company looking to pay hackers for security help. Earlier this week, Microsoft said it would offer up to $200,000 to researchers who design new security technologies. Google also offers from $500 to more than $3,000 to researchers who find security flaws.

Joe Sullivan (left), Facebook's chief security officer, and Ryan McGeehan, Facebook's security manager for incident response, at the DefCon hacker conference in Las Vegas

Facebook has been on high alert to potential malware since the discovery more than two years ago of Koobface, a quickly-mutating computer worm that spread across the social networking site. The worm, which was created by criminal hackers, often disguised itself by inviting users to click on an entertaining video.

Sullivan said Facebook has a dedicated engineering team that builds tools to catch spammers on the site.

"It's a little bit of whack-a-mole, but they're so effective at it and that's why the vast majority of Facebook users have much less spam in their Facebook inbox than their email inbox," Sullivan said.

Earlier this week, Facebook celebrated a legal victory when Sanford Wallace, the self-proclaimed "Spam King," turned himself in to face charges he compromised about 500,000 Facebook accounts by sending large numbers of spam messages through the company's servers.

Facebook's bug bounty program is not the first time the company has asked for help from hackers. In June, the company hired George Hotz, the young hacker who gained notoriety in 2007 for "jailbreaking" Apple's iPhone, or getting around the phone's software controls.

Sullivan said DefCon is fertile recruiting ground for Facebook because the company is looking to hire people who live and breathe security.

"We try to only hire people who, when they're hanging out on Saturday night, are thinking about security," he said. "That's the people who are here right now and that's why we want to be there."

Around the Web

Facebook Bug Bounty Program: Get $500 For Finding Holes | WebProNews

Security Bug Bounty - Facebook

Facebook launches bug bounty program | InSecurity Complex - CNET News

Facebook to Offer Bug Bounty Program With Rewards Starting at $500

Hackers Wanted, Says Facebook

Microsoft Lures Security Researchers with $250000 Reward

From Our Partners