Meta announced a number of enhancements to its bug bounty program to combat data scraping of Facebook user information and large unprotected datasets. Over the past decade, the company’s bug bounty program has grown from the Facebook website to cover all web and mobile clients across apps, services and businesses, including Instagram, WhatsApp, Quest and Workplace. In fact, since 2011, Meta has paid out over $14 million in bug bounties and received over 150,000 reports, of which he received over 7,800 bounties.
Scraping and covering unprotected records
As scraping continues to be an internet-wide challenge for tech companies, Meta announced in a new blog post that he will be opening two new areas of research in the HackerPlus bug bounty community. The company’s bug bounty program, which began as an undisclosed bounty track for her Gold+HackerPlus researchers, now rewards reports of scraping bugs. The purpose of this program is to find bugs that attackers use to bypass scraping limits and access larger amounts of data than the product allows.
So far this year, the company has received about 25,000 reports and issued bonuses for over 800 reports. Meta has designed its bug bounty program to remain agile from the start to address emerging risk areas such as the Cambridge Analytica platform exploits and access token attacks in 2018. Now, the company plans to expand its bug bounty program to address new risk areas and focus on creating new initiatives to recruit and retain security researchers.
Meta aims to quickly identify and address scenarios that may make scraping more cost-effective to implement. This is the industry’s first scraping bug bounty program and we hope other big tech companies will follow suit. In addition, Meta has unprotected or publicly available records, including at least 100,000 unique Facebook user records that contain information such as user email addresses, phone numbers, physical addresses, religious or political affiliations.
We are expanding our data rewards program to reward reports on However, the reported record must be unique and not previously known or reported to the company. At the same time, Meta rewards valid reports of scraped records in the form of charitable donations to non-profit organizations of the researchers’ choice to discourage companies from encouraging scraping activities.
- Meta is taking its bug bounty program seriously
- Check all news and articles from the latest Security news updates.