Facebook expands bug bounty program to include third-party apps and websites

Facebook announced this morning it’s expanding its bug bounty program – which pays researchers who find security vulnerabilities within its platform – to now include issues found in third-party apps and websites. Specifically, Facebook says it will reward valid reports of vulnerabilities that relate to the improper exposure of Facebook user access tokens.

Typically, when a user logs into another app using their Facebook account information, they’re able to decide what information the token and, therefore, the app can access and what actions it can take.

But if the token becomes compromised, users’ personal information could be misused.

Facebook says it will pay a minimum reward of $500 per vulnerable app or website, if the report is valid. The company also noted it wasn’t aware of any other programs offering rewards of this scope for all eligible third-party apps.

If a vulnerability is determined to be legit, Facebook will then work with the affected app developer or website operator to fix their code. Any apps that don’t comply with Facebook’s request to address the issue will be suspended from the platform until the problem has been solved and undergoes a security review.

In addition, Facebook says it will revoke all the access tokens that could have been compromised in order to prevent potential misuse. If it believes anyone has actually been impacted by the problem, it will notify them, if need be.

The company spells out what sort of information researchers (the white hat hackers) should include in their reports in order to receive the reward. It also says it’s only accepting reports where the bug is discovered by passively viewing data sent to and from a device and the affected app or website – not through any more of manipulation on the researchers’ part.

The news comes at a time when Facebook is still dealing with the fallout from the Cambridge Analytica scandal, which compromised the personal data from as many as 87 million Facebook users. This was followed by news this summer that a quiz app had been leaking data on 120 million users for years.

Since then, the company has been tightening its API platform, reviewing all apps, suspending hundreds of apps deemed suspicious, rolling out tools to help people better manage their apps, and more.

As a part of those changes, Facebook said earlier this year that its bug bounty program would be expanded.

Separately from this new program, the company now also runs a Data Abuse Bounty program which rewards first-hand knowledge of third-parties that collect user data in order to pass it off to malicious parties.

“We would like to emphasize that our bug bounty program does not replace the obligations on app developers to maintain appropriate technical and organizational measures to protect personal data — either regulatory obligations (for example, if the app developer is a data controller for the purposes of GDPR) or the rigorous controls we require through our terms of service and policies that apply to all developers on the Facebook platform,” wrote Dan Gurfinkel, Facebook Security Engineering Manager, in an announcement.

More details on the program are here.