Facebook to pay bug-finders bounty

Facebook’s offering a bounty to users who discover bugs on its site.

To qualify for the $500 on offer, users must be the first to report the bug, and it must be native to Facebook itself, rather than in a third party application or website that integrates with Facebook.

Also excluded are security bugs in Facebook’s corporate infrastructure.

It needs to be a bug that could compromise the integrity or privacy of Facebook user data, such as cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF) or remote code injection.

“If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” says the company.

But at $500, the bounty’s far less than that offered by Google and Microsoft – indeed, Microsoft offers up to $250,000. Google pays up to $3,133 for reports on flaws. Facebook says it may pay more than $500 for specific bugs, but doesn’t give any more information.