Facebook has announced the expansion of its Bug Bounty Program by offering financial rewards for all valid report of cases of improper exposure of Facebook user access tokens by 3rd party Website & apps.
Dan Gurfinkel, Security Engineering Manager of Facebook announced these changes on Monday. While the reward for each report will be based on the severity & impact of the report, a minimum reward of US $500 has been set for every vulnerable website or app reported.
The exposure of Access tokens, which is unique to each Facebook user & is needed for logging into 3rd party apps from the platform can be potentially misused if exposed; leading to various types of attacks from session hijacking, information theft, Man-in-The-Middle attacks among others.
By offering financial rewards for valid reports of exposure, Facebook hopes to open up channels for researchers to report this important issue & help safeguard user information. Facebook has also updated the terms of services for the scheme & has included important information about what is expected from researchers when giving these reports.
Dan Gurfinkel stressed that the bug bounty program is not in any way a replacement for the appropriate organizational & technical measures that ensure the protection of personal data expected from app developers. Facebook will review all valid reports & work with developers to fix the code on their app or Website responsible for this leak. While non-compliant apps will be suspended from the platform until the issue is resolved.
This new scheme from Facebook is in addition to its Data Abuse Bounty program which rewards reports of privacy infringements from 3rd party apps & Websites that collect & pass of user information.
Image Credit: Facebook
- “Tokkingheads” uses AI to animate photos – Startups - 2023-06-05
- Branding made easy with “Simplified” – Startups - 2021-06-08
- Send across video proposals instead of text ones – Startups - 2021-06-04
