Latest in Gear

Image credit: SOPA Images via Getty Images

Facebook will reward those who report bugs in third-party apps

It's expanding the bug bounty program to include apps that link to Facebook.
SOPA Images via Getty Images

Facebook is expanding its bug bounty program and will begin offering rewards to those that report vulnerabilities in third-party apps that connect to its platform. Specifically, the company is concerned with the misuse of access tokens, which allow Facebook users to log into other apps and websites with their Facebook account. "If exposed, a token can potentially be misused, based on the permissions set by the user," Dan Gurfinkel, Facebook's security engineering manager, said in a blog post. "We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."

In the wake of the Cambridge Analytica scandal, Facebook made some changes to its privacy policies and stepped up some of its security efforts. In April, it began offering rewards to those reporting data abuse on the part of app developers. Gurfinkel noted in today's blog post that app developers are still required to protect users' data and the expanded bug bounty program isn't meant as a replacement for those obligations.

Those with valid reports will be given a minimum of $500, with that amount increasing in line with the impact of the report. "Importantly, we will only accept reports if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website," wrote Gurfinkel. "You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report." Affected apps will be notified and Facebook will work with them to fix the issue. Those that don't respond will be suspended until the problem has been addressed and a security review has been completed. Facebook will also notify any users affected by reported vulnerability.

From around the web

ear iconeye icontext filevr