Meta expands bug bounty program to reward discoveries of scraped data

The company will donate to a charity chosen by the researcher who finds it.

NurPhoto via Getty Images

Meta is expanding its bug bounty program to reward researchers who report data scraping. The change will allow researchers to report both bugs that could enable scraping activity, as well as previously scraped data that has already been published online.

In a blog post, Meta says it believes it is the first to launch a bug bounty program to specifically target scraping activity. “We're looking to find vulnerabilities that enable attackers to bypass scraping limitations to access data at greater scale than what we initially intended,” Security Engineering Manager Dan Gurfinkle told reports during a briefing.

Data scraping is different than other “malicious” activity Meta tracks as it uses automated tools to mass-collect personal information from users’ profiles, such as email addresses, phone numbers, profile photos and other details. Even though users often willingly share this information on their public Facebook profiles, scrapers can expose these details more widely, such as publishing the information in searchable databases.

It can also be difficult for Meta to combat this activity. For example, in April the personal information of more than 500 million Facebook users was published on a forum. In that case, the actual data scraping had occurred years prior, and the company had already addressed the underlying flaw. But there was little it could do once the data started circulating online. In some cases, the company has also sued individuals for data scraping.

Under the new bug bounty program, researchers will be rewarded for finding “unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII [personally identifiable information] or sensitive data (e.g. email, phone number, physical address, religious or political affiliation).” Instead of its usual payouts though, Meta says it will donate to a charity chosen by the researcher in order not to incentivize the publishing of scraped data.

For reports of bugs that can lead to data scraping, researchers can choose between a donation or a direct payout. Meta says each bug or dataset is eligible for at least a $500 award.