Facebook offers security researchers a bounty for bugs

Facebook has become the latest company to pay researchers who find bugs in its code, and is offering around $500 a flaw.

The company has opened a White hat hacking page on Facebook and is offering the bounty in return for vulnerabilities in its own code, but not in the applications and web sites of third parties.

Facebook is looking particularly for flaws that allow cross-site scripting and request forgery attacks, or remote code injection.

Researchers will typically earn $500 per bug, with more on offer in specific circumstances. Any disclosure is subject to the company's reasonable disclosure policy.

"If you believe you've found a security vulnerability on Facebook, we encourage you to let us know right away," Facebook said.

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Facebook was also very specific about what it does not want to hear about, notably security flaws in its own corporate infrastructure, spam alerts or distributed denial-of-service information.

The practice of paying for flaw information is becoming increasingly common in the IT industry. Google, Mozilla and TippingPoint all offer varying amounts in exchange for prior notice of flaws, and there is now a burgeoning cottage industry of researchers making good money in post-production bug testing.

Microsoft is holding out against the practice, although it has proved willing in the past to offer specific bounties, such as for the creator of the Sasser worm and the identities of the Rustock botnet owners.