Facebook bounty hunters will be placed into tiers through analysing their score, signal & number of submitted bug reports, which will govern new bonus percentages.
Facebook has lifted the veil on what it claims is an industry 1st – A loyalty program as part of its bug-bounty offering, which aims to further incentivise researchers to find vulnerabilities in its platform.
The loyalty program, named “Hacker Plus,” offers bonuses on top of bounty awards, access to more products & features that researchers can stress-test, & invites to Facebook annual events. It adds a further layer to Facebook’s bug-bounty arrangements, which has existed since 2011.
“Hacker Plus is designed to help build community among the researchers who participate in our bug-bounty program, in addition to incentivising quality reporting,” Dan Gurfinkel, Security Engineering Manager with Facebook, suggested in a post.
Hacker Plus will have 5 “leagues” from an entry-level Bronze Tier all the way up to the highest-level Diamond Tier (Silver, Gold & Platinum are in-between). Gurfinkel observed that researchers have been put into different leagues based on the quantity of their submissions & scores over the last 2 years.
Based on leagues, researchers are eligible to receive bonuses on top of the standard bounty award. E.g., Bronze Tier members will get a 5% bonus on top of each bounty they receive, while Diamond Tier members will earn a 20% bonus. Diamond-level researchers also have access to various events, including live hacking events, Facebook’s F8 conference & DEFCON.
Facebook also observed that researchers who submitted at least 1 valid vulnerability report & received a pay-out according to the bug-bounty program terms & conditions are eligible to participate in the Hacker Plus program. Researchers can view their tiers on their profile page.
“Starting Fri, we’ll regularly evaluate researchers’ league placement by analysing their score, signal & number of submitted bug reports within the last 12 months,” commented Gurfinkel.
“This means researchers can move up a league if they submit more high-quality bug submissions. Once a researcher meets. a higher league’s criteria, they will immediately be placed into that league.”
The announcement came as bug-bounty programs have come under scrutiny in the cyber-security community. Security experts worry that if improperly implemented, the programs merely promote marketing hype and flashy rewards forgetting important backend logistics for securing the company, such as triage.
3rd-Party App Developers
For its part, Facebook continues to expand its bug-bounty offerings for the security research community.
In 2018, Facebook said it will expand its bug-bounty program to attempt to crackdown on data misuse by 3rd-party app developers. Also, in 2018 the social media company announced an expansion to find vulnerabilities related to access-token exposure.
More recently, Facebook awarded a security researcher $20,000 for discovering a ‘cross-site scripting (XSS) vulnerability’ in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method.