Meta has expanded its bug bounty program to reward security researchers who discover new ways to conduct scraping attacks designed to collect information about Facebook users.
“We know that automated activity designed to scrape people’s public and private data targets every website or service,” Meta says in its announcement. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites, or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve.”
So the company decided to invite Hacker Plus members in the Gold, Platinum, and Diamond leagues to submit bugs that can be exploited to scrape Facebook user data. Meta says that it's specifically “looking to find bugs that enable attackers to bypass scraping limitations to access data at greater scale than the product intended,” so they can minimize the cost of their attacks.
“To the best of our knowledge, this is the first scraping bug bounty program in the industry,” Meta says. “We will work to address feedback from our top bounty hunters before expanding the scope to a greater audience.”
But the company isn't only rewarding security researchers who find bugs that can be exploited to conduct scraping attacks. Meta will also reward those who alert it to data sets that have already been scraped from its service and made available to the public. That way it can work to prevent such attacks while also mitigating the impact of scraping that's already taken place.
This data bounty program expansion also has restrictions. “We will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data (e.g. email, phone number, physical address, religious or political affiliation),” Meta says. “The reported dataset must be unique and not previously known or reported to Meta.”
Recommended by Our Editors
The company says it will contact hosting providers such as Amazon Web Services, Box, and Dropbox as appropriate to have the scraped information removed from their platforms. It's also planning to expand the scope of this program to include smaller amounts of information after it gets some feedback from researchers discovering and disclosing these larger troves of data.
Meta says it doesn't want to encourage researchers to scrape data themselves by paying them directly for their disclosures, of course, so it will instead “reward valid reports of scraped datasets in the form of charity donations to nonprofits of our researchers’ choosing.” Because the company matches bounty payouts to charities, the amount paid to the non-profits will be higher.
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba