Facebook is widening its “bug bounty” program, which was introduced last year as a way to reward researchers who find flaws in its public-facing systems. Now, the company is taking it a step further and offering to reward those able to spot and report holes in Facebook’s corporate network as well. According to a report from Bloomberg, Facebook security response chief Ryan McGeehan said: “If there’s a million-dollar bug, we will pay it out.”
The concept of rewarding hackers for finding vulnerabilities isn’t anything new, and other web giants like Google, Mozilla, HP and even PayPal do it. Web service companies may be able to limit any damage done with by rewarding others to report flaws, but it can still be a risky strategy. Hopes are that outsiders will be willing to actually report bugs to Facebook itself rather than selling them to others.
Facebook’s current retard system offers a minimum of $500 for reports of bugs and the company has already paid a total of $400,000 in rewards to researchers who have spotted them. Researchers must disclose the bug and are eligible for a reward as long as the bug reported could “compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook's infrastructure."
You can get the full details for bug reporting on Facebook’s Security Bug Bounty page.