Facebook Debuts Bug-Bounty ‘Loyalty Program’

facebook bug bounty loyalty programs

Facebook bounty hunters will be placed into tiers by analyzing their score, signal and number of submitted bug reports — which will dictate new bonus percentages.

Facebook has lifted the curtain on what it claims is an industry first: A loyalty program as part of its bug-bounty offering, which aims to further incentivize researchers to find vulnerabilities in its platform.

The loyalty program, called “Hacker Plus,” offers bonuses on top of bounty awards, access to more products and features that researchers can stress-test, and invites to Facebook annual events. It adds another layer to Facebook’s bug-bounty effort, which has been around since 2011.

Threatpost Webinar Promo Retail Security

Click to Register!

“Hacker Plus is designed to help build community among the researchers who participate in our bug-bounty program, in addition to incentivizing quality reporting,” Dan Gurfinkel, security engineering manager with Facebook, said in a Friday post.

Hacker Plus will have five “leagues” – from an entry-level Bronze tier all the way up to the highest-level Diamond tier (Silver, Gold and Platinum are in-between). Gurfinkel said that researchers have been placed into different leagues based on the cumulative quantity of their submissions and scores over the last 24 months.

Based on their league, researchers are eligible to receive bonuses on top of the standard bounty award. For instance, Bronze tier members will receive a 5 percent bonus on top of each bounty they receive – while Diamond tier members will earn a 20 percent bonus. Diamond-level researchers also gain access to various events, including live hacking events, Facebook’s F8 conference and DEFCON.

Facebook also said that researchers who submitted at least one valid vulnerability report and received a payout according to the bug-bounty program terms and conditions are eligible to participate in the Hacker Plus program. Researchers can view their tiers on their profile page.

“Starting today [Friday], we’ll regularly evaluate researchers’ league placement by analyzing their score, signal and number of submitted bug reports within the last 12 months,” said Gurfinkel. “This means researchers can move up a league if they submit more high-quality bug submissions. Once a researcher meets a higher league’s criteria, they will immediately be placed into that league.”

The announcement comes as bug-bounty programs have come under scrutiny in the cybersecurity community. Security experts worry that if improperly implemented, the programs merely promote marketing hype and flashy rewards – forgetting important backend logistics for securing the company, such as triage.

For its part, Facebook continues to flesh out its bug-bounty offerings for the security research community.

In 2018, Facebook said it will expand its bug-bounty program in an attempt to crackdown on data misuse by third-party app developers. Also in 2018 the social media company announced an expansion to sniff out vulnerabilities related to access-token exposure. More recently, this past year, Facebook awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles