The social networking company Facebook has paid $40,000 to hackers that spotted software vulnerabilities as a part of its recently-launched “bug bounty” initiative.
A New Approach
This “bug bounty” scheme is a new approach to internet security that encourages criticism and rewards people who have found ways “bugs” in the software instead of punishing them. This approach appears to be working, as companies such as Google and Hewlett-Packard also have employed initiatives that pay for tips about vulnerabilities in their software.
In a post on the company blog, Facebook chief security officer Joe Sullivan discussed the program to pay hackers, stating, “We realize … that there are many talented and well-intentioned security experts around the world who don’t work for Facebook. We established this bug bounty program in an effort to recognize and reward these individuals for their good work and encourage others to join.”
This “neighborhood watch” approach to security is receiving praise from digital advocacy groups such as the Eletronic Frontier Foundation. Joe Sullivan described the success of the bug bounty scheme, saying “The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code.”
Publicity for Whitehats
Another shift in the attitude of the technology industry is indicated by its aims to give the “whitehats” – a geek term for “good guy” hackers – public recognition for helping inform and solve problems. This takes the “fun” out of hacking into a site, as it is often done more for glory and notoriety than financial gain. Now there is fame and financial gain for the “good guys,” as Facebook stated it has paid one hacker $7,000 for reporting six issues in its code, and $5,000 for spotting one particularly dangerous problem.
Facebook also promises legal protection to whitehat hackers who may have had to break the law in order to identify a problem. The company stated, “If you give us a reasonable time to respond to your report before making any information public and make a good-faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”