Facebook launches ‘bug bounty’ program offering up to $40,000 for reporting misuse of data

In the wake of the Cambridge Analytica row that has left the popular social media giant, Facebook red-faced, the company has stepped up its efforts to tighten data protection and show that its values the privacy of data. Facebook on Tuesday announced a bounty program that would reward people for reporting data abuse by app developers on its platforms so that it can avoid Cambridge Analytica like the situation in the future.

The “Data Abuse Bounty” program, which is the first of its kind in the industry, has payouts starting at $500 and going up to $40,000 for big discoveries, although the company noted that there’s no maximum amount for the payouts.

“We committed to launching this program a few weeks ago as part of our efforts to more quickly uncover potential abuse of people’s information. The Data Abuse Bounty, inspired by the existing bug bounty program that we use to uncover and address security issues, will help us identify violations of our policies,” Collin Greene, Head of Product Security, wrote in a blog post, late on Tuesday.

“This program will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence. Just like the bug bounty program, we will reward based on the impact of each report. While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention.”



Greene further added, “We’ll review all legitimate reports and respond as quickly as possible when we identify a credible threat to people’s information. If we confirm data abuse, we will shut down the offending app and take legal action against the company selling or buying the data, if necessary. We’ll pay the person who reported the issue, and we’ll also alert those we believe to be affected.”

The “Data Abuse Bounty” is motivated by the current bug bounty program that the company uses to discover and address security flaws. This would help Facebook detect violations of its policies. Facebook pays out over $1 million on average a year in bug bounties, executives said.

“It will help us find the cases of data abuse not tied to a security vulnerability. … This will cover both hemispheres, and help surface more cases like Cambridge Analytica so we can know about it first and take action,” Facebook’s chief security officer, Alex Stamos told CNBC.

Currently, the company’s “bug bounty team” has about 10 employees, but plans to hire more people and involve other teams in order to investigate validated claims.

To be eligible, the case must involve at least 10,000 Facebook users. The bounty hunter should show how data was abused and not just collected. Further, it should be a case that Facebook is not already aware of or is actively investigating. Scenarios such as data scraping, malware or mass-scale tricking of users to install apps, social engineering projects and non-Facebook cases (ex: Instagram) are not eligible.

“A door is always open if a whistleblower wants to say there’s something sketchy here,” Greene told CNBC.