Meta

Expanding Our Bug Bounty Program to Address Scraping

Our Bug Bounty program works with researchers to help us detect and fix issues across our apps faster so that we can better protect our community. So far this year, we’ve awarded over $2.3 million to researchers from more than 46 countries and have received around 25,000 reports in total, issuing bounties on over 800. And now we’re expanding our programs to address new challenges and welcome more researchers.

Today, we’re launching two new updates to our Bug Bounty and Data Bounty programs around scraping. As scraping continues to be an internet-wide challenge, we’re excited to open up these new areas of research for our bug bounty community. 

Scraping Bugs

We know that automated activity designed to scrape people’s public and private data targets every website or service. We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform.

Starting as a private bounty track for our Gold+ HackerPlus researchers, our bug bounty program will award reports about scraping methods, even if the data they target is public. Specifically, we’re looking to find bugs that enable attackers to bypass scraping limitations to access data at greater scale than the product intended. Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute. While lack of proper rate limiting is now included in the program’s scope (our terms still do not allow anyone to automate access and collection of data), we want to particularly encourage research into logic bypass issues that can allow access to information via unintended mechanisms, even if proper rate limits exist. We’ve provided our Gold+ researchers with examples on such bypasses to help jumpstart this research.

To the best of our knowledge, this is the first scraping bug bounty program in the industry. We will work to address feedback from our top bounty hunters before expanding the scope to a greater audience.

Scraped Databases

Starting today, our data bounty program will also cover scraped datasets found online. We will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data (e.g. email, phone number, physical address, religious or political affiliation). The reported dataset must be unique and not previously known or reported to Meta. We aim to learn from this effort so we can expand the scope to smaller datasets over time.

If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed. For example, if the dataset is a result of a misconfigured third-party application, we will work with the developer to address the issue. Alternatively, if the dataset is exposed on a hosting service (e.g. S3 bucket, file-sharing service), we will make efforts with the host (Amazon, Box, Dropbox, etc.) to take this dataset offline.

Bounty Awards

As always, we will issue rewards in both programs based on the maximum impact of each report, with a minimum reward of $500 per each scraping bug or dataset.

Scraped datasets: We will reward valid reports of scraped datasets in the form of charity donations to nonprofits of our researchers’ choosing to ensure that we do not incentivize scraping activity. Per our donation matching policy, we will match each bounty, which means that researchers will be directing an even higher bounty to the causes important to them.

Scraping bugs: We will be issuing monetary rewards for valid reports about scraping bugs, similar to how we’ve always issued rewards for eligible submissions to our Bug Bounty program. Researchers, of course, can choose to donate a bounty to a recognized charity (subject to approval by Meta).

We’re looking forward to our community’s research and feedback in these two new research areas.

Learn more on our Engineering at Meta blog.