Facebook’s chief security officer, Alex Stamos stated that the bounty program “Will help us find the cases of data abuse not tied to security vulnerability. … This will cover both hemispheres, and help surface more cases like Cambridge Analytica so we can know about it first and take action.”
Before you start counting your coin, it is important to note that the bounty program has very specific requirements. Facebook is looking for “any situation where data that was legitimately collected from users via a Facebook platform app that they downloaded was then sold, stolen, or transferred to another company without authorization from Facebook.” Such a situation is a violation of Facebook’s data user agreement. Those who report potential violations must have first-hand knowledge of the offense and cannot work solely off of speculation. Potential bounty hunters can only provide information that they are able to legally access. Public data also does not qualify for a bounty reward.
The submitted case must involve at least 10,000 Facebook users and demonstrate how the data was collected and abused. Data scraping by automated tools and other malware abuses on platforms such as Instagram are not currently covered in this bounty program.
Bounty hunters can submit potential cases through Facebook’s “Data Abuse Bounty” form. Facebook will ask the reporter for additional information if their team wants to launch a more detailed investigation. Facebook may then shut down the platform app, conduct an onsite forensic audit, and/or take legal action. Investigations usually take between three to six months, but may last longer. Rewards start at $500 USD and go up to $40,000 USD. Only the first person to report the violation will be rewarded.
Facebook currently has a team of ten people on their bug bounty team. They plan to add more members and teams to investigate claims. It is the first program of its kind in the industry and builds on Facebook’s existing bug bounty program.
Facebook first announced their plans for a bounty program in late March. The program is in response to the notorious Cambridge Analytica scandal that leaked the information of 87 million Facebook users. The leak began with a psychology and personality quiz app that was installed by around 300,000 users. This app asked permission to access a user’s contacts list and, by extension, the information of those contacts. Cambridge Analytica, a data analytics firm, allegedly used the unauthorized data to influence voters during the 2016 United States presidential election.