Facebook is working on setting up a bug bounty program that would encourage security researchers to discover vulnerabilities on its platform and report them responsibly.
Mr. Joe Sullivan, Facebook’s chief security officer, told us today at the Hack in the Box Amsterdam 2011security conference that the company is currently testing such a system and hopes to launch it soon.
Vulnerability reward programs are not new. In fact, they’ve been around since the Netscape era.
In 2004 Mozilla introduced a bug bounty system for vulnerabilities discovered in Firefox, then last year Google did the same for Chromium, the open source project behind Google Chrome.
However, it was Google that began rewarding vulnerabilities found in its web services first, a move that was mirrored by Mozilla a month later.
Bug bounty programs are not only about rewarding researchers, which is an honorable thing to do, but also about drawing security attention towards a particular product or service.
Since more people will be interested to poke around it and uncover flaws, the system will become more and more secure and there will be less flaws for cyber criminals to find.
No details about the program’s possible payouts or rules have been released, but we’re hoping the rewards will at least match those offered by Mozilla and Google.