How do you catch a hacker? Facebook‘s answer to that question is to pay other hackers! According to a recent Forbes article, the social media site has paid $300,000 to “friendly hackers,” who are tasked to find vulnerabilities and help fix them.
Ryan McGeehan, the head of Facebook’s security response team, explained Facebook’s bug bounty program, which can pay around $1,000 for revealing a vulnerability, Forbes reported.
“Bounties are a great iteration on our responsible disclosure policy (which we’ve had for years),” McGeehan wrote on questions-and-answers website Quora on May 21. “We’ve made several site wide improvements based on input through [the] bug bounty [program] while overall being cost effective and fair to researchers. We’ve been able to pay far over our minimum bounty on a pretty regular basis, and in many cases it makes more and more sense to increase our investment in what has turned into a global community of researchers who are making contributions.”
According to Forbes, Facebook isn’t the only company crowdsourcing its security. Google has also paid out a considerable $410,000 though its bounty program, and it recently raised the maximum reward from $3,133.70 to $20,000. Not a bad chunk of change for a (helpful) hacker-mercenary. Even though those numbers have to compete with a cyber black market, where hackers pay each other for disclosed vulnerabilities, McGeehan said bounty programs like Facebook’s encourage hackers to “double dip” by selling the exploit on the black market and then reporting it for a bounty – which speeds up how quickly such vulnerabilities can be fixed.
Are the bug bounty programs effective? Well, just last month, IDG News Service reported cybersecurity researchers released eight bugs found in Google’s services. Exploits were found in services ranging from Google Calendar to the photo editing software Picnik.
What do you think about bug bounty programs? Do hackers deserve money for unveiling vulnerabilities? Are these programs effective in increasing cybersecurity?