"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," says Facebook.
The base sum for a responsibly disclosed vulnerability is $500, but the discovery of specific bugs might be rewarded with a higher sum. The Facebook security team has the final say on whether a bug qualifies for a reward.
For those who thought about all those scams circling on Facebook and wondered whether they might make a few bucks by reporting them - don't bother. Among the bugs that won't be considered for the bounty program are spam or social engineering techniques, DoS vulnerabilities, bugs in Facebook's corporate infrastructure and vulnerabilities in third-party websites or apps.
The bugs whose reporting will be rewarded are those that could compromise the integrity or privacy of Facebook user data, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code Injection - as long as the disclosure is deemed responsible by Facebook.
The news has been welcomed and praised by security researchers all over the world, reports Computerworld. The offered sum might seem small when compared to Google awarding up to $3,133 and Mozilla up to $3,000 for a bug, but it's definitely a step in the right direction.
ESET researcher Cameron Camp points out at the possibility for the big bounty program to be used as a recruiting tool, and that might, in the end, prove to be an even bigger incentive.