Meta, recently rebranded from Facebook, today announced the expansion of its bug-bounty and data-bounty programs to reward valid reports of so-called scraping bugs and scraped databases with monetary compensation and matched charity donations, respectively.
The move is meant to address the risk of attack activity designed to scrape public and private data, which poses a threat to all kinds of websites and services. Scrapers such as malicious apps, websites, and scripts are constantly being updated to evade detection; the idea here is to make the process harder and more expensive for attackers, explained Dan Gurfinkel, security engineering manager, in a blog post.
The programs will start as a private bounty track for Meta's Gold+ HackerPlus researchers. The company will reward reports of scraping methods, even if the targeted data is public, he noted. Its goal is to find bugs that allow attackers to bypass scraping limitations and access data at a larger scale than a product intended.
"Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute," he wrote. To the best of the company's knowledge, this is the industry's first data-scraping bug-bounty program.
Lack of proper rate limiting is currently included in the program's scope, Gurfinkel continued, but its terms don't allow hackers to automate data access and collection. Meta is encouraging research into logic bypass issues that could enable attackers to access information through untended mechanisms, even if proper rate limits are in place.
Starting Dec. 15, Meta's bug-bounty program will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information (PII) or sensitive data, such as email addresses, phone numbers, physical addresses, or religious or political affiliations.
"The reported dataset must be unique and not previously known or reported to Meta," Gurfinkel wrote. "We aim to learn from this effort so we can expand the scope to smaller datasets over time."
If it's confirmed that PII was scraped and is available on a website outside Meta, the company says it will "work to take appropriate measures," such as working with the website's owner to remove the dataset or taking legal action to make sure the problem is addressed. If the data is exposed due to a misconfigured third-party application, for example, it will seek to work with the developer to mitigate the issue.
Payouts for Datasets and Flaws
Rewards for both the bug-bounty and data-bounty program will be based on maximum impact of each report, with a minimum reward of $500.
For the scraping vulnerabilities, Meta will pay out monetary rewards for valid reports, as it has historically done for bug-bounty program submissions. For scraped datasets, however, rewards look a little different.
Valid reports of scraped datasets will be rewarded with a charity donation to the nonprofit of the researchers' choosing "to ensure that we do not incentivize scraping activity," Gurfinkel wrote. Meta will match each bounty, so researchers can hunt datasets knowing they'll direct more money to causes that matter to them.
Today's news marks the latest expansion of Meta's bugbounty program since it first launched in 2011. Since then, the program has received more than 150,000 reports, the company says; at least 7,800 were awarded a bounty. Beyond Facebook, the program covers Web and mobile clients across apps including Instagram, WhatsApp, Quest, and Workplace, among others.
Looking ahead, the company plans to ramp up efforts in educating the next generation of hackers with its inaugural BountyConEDU, a Madrid-based conference created for university students across Europe.