Social networking giant Facebook will soon begin paying security researchers for information on vulnerabilities in its platform, according to a report from the Hack in the Box security conference in Amsterdam.
Facebook’s Chief Security Officer Joe Sullivan told Softpedia that the company would soon introduce a bug bounty program, similar to those offered by Google, Mozilla and HP’s TippingPoint division. Sullivan said Facebook is currently testing the system and hopes to launch it soon.
Facebook has been investing in account security features in recent months. The company added a multi factor authentication feature to make it more difficult to hijack user accounts. Privacy concerns aside, the social network is an increasing target of scams and malicious traffic including spam messages and “like jacking” attacks. There are also questions about the underlying security of the Facebook platform itself. Recently, a security researcher in Queensland, Australia, demonstrated a method for culling private photos from Facebook accounts with little more than the Facebook user’s account ID, an Internet connection and some time.
A growing number of technology firms have adopted bounty programs to entice top vulnerability researchers to share their work. Most recently, Google has upped the amount it will pay researchers for security flaws in the company’s products. I November, 2010, Barracuda Networks also announced a program to pay for vulnerability information. Notably, Microsoft has stuck to its longstanding policy of not paying for vulnerabilities, despite calls from the security community for the company to rethink its opposition to paying for information on software wecurity holes.