Now, 2 years down the road, Facebook has decided it’s a good idea to offer up a $500 bounty for exploits reported to the Facebook security team.

They are claiming they will pay out larger amounts for ‘truly significant’ bugs, but they aren’t qualifying that claim with any guidelines or amounts.

Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook’s security team first.

The company is following Google and Mozilla in launching a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant flaws Facebook will pay more, though company executives won’t say how much.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”

On Friday, Facebook will launch a new Whitehat hacking portal where researchers can sign up for the program and report bugs.

Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.

They have always credited people who made discovered of insecurities on the Facebook platform and gifted them with t-shirts and other goodies, but this is the first move Facebook has made towards paying for exploits.

It is true though, finding a serious bug in a prestigious web property like Facebook could make someone famous overnight. I would like to see more bounty programs and those bounty programs paying out larger amounts.

Although I have to say I don’t believe a flaw in a social network would be worth that much on the black market (as opposed to say a zero-day in the latest version of Apache).

But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.

Google pays between $500 and $3,133.70, depending on the severity of the flaw.

Google started to pay for browser bugs in early 2010, and then in November it expanded the program to cover bugs in its Web properties too.

The Web bug bounty program has helped Google uncover a lot of programming errors in the past eight months, most of which have been in Google’s lesser-known products, a company spokesman said this week.

Google sees its Web program as a big success. “We’re very happy with the success of our vulnerability reward program so far. We’ve already given out $300,000 and have seen a variety of interesting bugs,” the spokesman said in an e-mail message.

Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Google have given out over $300,000 since they started their program in 2010 – initially it was only for Chrome bugs – but they expanded it to cover all of their web properties and they’ve reaped the rewards by being able to fix all kinds of issues.

I foresee Facebook not having to pay out so much, the site is fairly closed and it’s not as expansive as the Google empire. Plus they don’t have any kind of actual software offering like Chrome.

It’s an interesting program though and I hope it leads to Facebook becoming more secure.

Source: Network World

Similar to the Hacker Challenge in 2006, it is being run by a U.S. company performing security testing and security metric research. The purpose of this challenge is to evaluate the effectiveness of software protections. The results of this effort will be used to improve protection measures.

There will be three distinct, yet related, phases to this contest. The first phase will be a hacker challenge, for which anyone can register to participate. The second stage of the contest will be a market (based on the Phase 1 challenge). Participation in this second phase will be by invitation only, based on performance in the first phase. The third phase of the contest will be a more challenging hacker challenge; this phase may or may not be invitation-only. There are opportunities to earn money in all three phases of the contest.

All file downloads and uploads necessary for the contest will be possible after the participant has logged in. The market will also be visible, at the appropriate time, after logging in.

You can read more here.

http://www.hackerchallenge.org/

All payments are in U.S. dollars, and will be made anonymously via PayPal with prizes up to $50,000USD for the three phases.

You can register here.