Researchers will no longer be limited to “passively observing the vulnerability,” Facebook’s engineering security manager, Dan Gurfinkel, said in a statement.
The bug bounty hunters will now be able to actively test these third-party apps for security issues, as long as the third party authorizes the researchers, Facebook said. Think of it as the difference between finding a bug through observing traffic from a third-party app versus security researchers looking for ways a third-party app could abuse your data.
“This change significantly increases the scope of the security research that our bug bounty community can share with us and get rewarded for when they find potential vulnerabilities in these external apps and websites,” Gurfinkel said.
The rewards will be based on the severity of the bug, with a minimum payout of $500. Researchers will have to provide proof that the third-party apps authorized these penetration tests for the bug bounties.
Facebook first announced its bug bounty program for third-party apps in September 2018, taking aim at the ways people’s personal data could be leaked through irresponsible developers outside the social network’s control.
Third-party apps have been a major cause of Facebook’s privacy concerns, starting with its Cambridge Analytica scandal in 2018. Developers had made Facebook apps that were essentially harvesting data for researchers at Cambridge Analytica to use, threatening users’ privacy and creating the potential for political interference.
In April, security researchers found an open database of Facebook info, collected by a media company with an app on the social network.
While Facebook has its own security team on the hunt for data-stealing apps, bug bounties also let the company open up the search to the masses. In March 2018, Facebook first expanded its bug bounty program and started considering data-abusing apps as security flaws.
Bug bounty programs are a growing trend in cybersecurity, with companies like Apple offering up to $1 million for high-level hacks. Independent security researchers search for bugs and flaws that attackers could use, and get paid to inform the company rather than use the flaws for malicious purposes.
Often, the rarer the bug, the higher the bounty. On Tuesday, Facebook said it was upping the bounty for native code bugs — flaws that’re difficult to find because they’re hidden deep within the service.
Researchers who find and report a zero-click flaw for Facebook Messenger on iOS will get the full bug bounty, along with a $15,000 bonus now if they can provide a proof-of-concept for it, Facebook said. Zero-click flaws are rare because they don’t require victims to interact to be affected.
Facebook also said it’ll be bringing its hardware to Pwn2Own Tokyo, a hacker conference set to take place in November. Companies often bring their own products to the conference so hackers can find vulnerabilities in their devices. Tesla brought a car to Pwn2Own Vancouver in March and successful hackers won it, along with a $35,000 reward.
Facebook is offering a $60,000 reward for successful hacks of its Portal device, and $40,000 for security flaws in the Oculus Quest.