Meta Platforms, formerly known as Facebook, announced in a Dec. 15 blog post that it’s expanding its bug bounty program.
With this expansion, the tech company will start rewarding valid reports of data scraping bugs across its platform, along with including reports of scraping data sets that are available online. Scraping is a technique referring to the practice of extracting data from websites, Meta said.
“We know that automated activity designed to scrape people’s public and private data targets every website or service,” said Dan Gurfinkel, security engineering manager at Meta, in the blog post. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites, or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve.”
Meta said that it intends to compensate researchers for valid reports of scraping bugs in its service and for identifying unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information. However, the reported data set also must be unique and not previously known.
If the requirements are met, Meta said it will take appropriate measures to remove the data from the non-Meta website. This could involve taking legal action, reaching out to hosting providers (Amazon, Box, Dropbox) to take the data set offline, or working with third-party app developers to address server issues. Reports about scraped databases will be rewarded through matched charity donations of the researcher’s choosing, Meta said.
“Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute,” Gurfinkel said, adding that “we want to particularly encourage research into logic bypass issues that can allow access to information via unintended mechanisms, even if proper rate limits exist.”
Meta said it has paid out over $14 million in bounties since starting the program in 2011, with $2.3 million awarded to researchers from over 46 countries in 2021 alone. The company added that most of the valid reports over the past decade have come from India, the US, and Nepal, respectively.