As announced recently, Meta (formerly ‘Facebook’) has expanded its bug bounty program to include scraping vulnerabilities. This decision comes amidst the growing instances of data scraping that even targeted Facebook in the past. The tech giant aims at becoming the industry’s first to take this step.
Meta Expands Bug Bounty To Add Scraping
Through a recent blog post, Dan Gurfinkel, Security Engineering Manager at Meta, has shared details about the inclusion of data scraping bugs in its bug bounty scope.
As elaborated, this expansion includes two new aspects.
First, it includes bug reports for scraping bugs that attackers may abuse to evade data access limitations. As stated in the post,
As scraping continues to be an internet-wide challenge, we’re excited to open up two new areas of research for our bug bounty community… Our bug bounty program will now reward reports about scraping bugs.
Meta thinks this will be the first step towards recognizing and rewarding scraping bugs. Furthermore, it believes it will help counter data scraping attacks by eliminating the factors that make them “less costly to execute”.
Second, the firm acknowledges rewards for reporting unsecured Facebook users’ data.
In addition, we are expanding our data bounty program to reward reports of unprotected or openly public data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address, religious, or political affiliation. The reported data set must be unique and not previously known or reported to Meta.
As for the rewards, Meta will prefer donating the rewards to charities to not “incentivize scraping”.
For now, this expansion in the bug bounty program will go as a private program for the Gold and HackerPlus researchers.
The firm has shared further details about this expansion in a separate post.
Previously, the tech giant has expanded its bug bounty program to include third-party apps integrating with Facebook. With the recent expansion, the company aims to enhance the overall security of its products and users.
Last modified: December 18, 2021