
Facebook pays for security loopholes - narad
http://www.bbc.co.uk/news/technology-14715442
======
dave1010uk
Direct link to Facebook's bug bounty program:
<http://www.facebook.com/whitehat/bounty/>

Mozilla (<http://www.mozilla.org/security/bug-bounty.html>) and Chromium
([http://dev.chromium.org/Home/chromium-
security/vulnerability...](http://dev.chromium.org/Home/chromium-
security/vulnerability-rewards-program)) have bug bounties too and I'm sure
many other projects do.

~~~
nbpoole
Google also has a security bug bounty program on its web applications:
<http://www.google.com/about/corporate/company/security.html> and
[http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w...](http://googleonlinesecurity.blogspot.com/2010/11/rewarding-
web-application-security.html).

------
helipad
£25,000 seems like small change for identifying potentially disastrous
security holes.

------
wslh
A security professional does this money in a few hours of work, so the "prize"
is not very attractive.

And what's interesting is that within the security ecosystem there are proven
ways to win authority and reputability.

------
reemrevnivek
I wasn't sure from the title if the article was about:

1\. Facebook paying security researchers to find and report vulnerabilities.

2\. Facebook paying (in user data, public image, and lawsuits) for
vulnerabilities exploited by malicious security researchers.

It's the former. As such, it reminds me of the "What does $1265 of bugs look
like?" discussion recently at <http://news.ycombinator.com/item?id=2927914> ,
where the author of open-source software paid between $1 and $50 for various
bug levels. Does it make any sense for a company like Facebook to offer tiny
bounties on code style, spelling errors, and harmless bugs?

~~~
jgeralnik
Facebook's code is not open source, so no, code style bugs does not make
sense.

------
jgeralnik
"Facebook should consider setting up a "walled garden" that only allowed
vetted applications from approved developers to connect to the social
networking site, he said."

No. Just no.

------
jeffwhelpley
I think this is working. I haven't gotten as much spam on Facebook as I did a
year ago.

