Facebook Launches Data Abuse Bounty Program

Most big tech companies have a bug bounty program. These initiatives are supposed to incentivize security researchers to share any vulnerabilities they find in the companies' products rather than revealing them to the public, selling them to third parties, or exploiting them. Facebook now wants to apply the same approach--offering compensation for quiet disclosure--to apps that inappropriately use its platform data.

That's why Facebook announced the Data Abuse Bounty Program. (Catchy name, right?) The company doesn't seem to have many of the program's details worked out yet, however, and we suspect that's because it's rushing to respond to the Cambridge Analytica scandal in as many ways as possible. Introducing the Data Abuse Bounty Program is quite literally another item on Facebook's "avoid another scandal" check list:

That image was taken from Facebook's blog post announcing this new program. In it, the company said that it wants to "reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen, or used for scams or political influence." It will then investigate the claims and, if appropriate, shut down the offending app and take legal action.

Facebook explained what it's hoping to learn from the Data Abuse Bounty Program via its terms, where it said that submitted apps must involve:

More than 10,000 Facebook users.Definitive abuse of data. Not just collection. A case we were not already aware of or actively investigating.

The company also said that submissions cannot be related to social engineering, malware that tricks people into downloading apps, or Facebook-owned-but-technically-separate services like Instagram. Most of those restrictions seem to be designed to separate the Data Abuse Bounty Program from Facebook's existing bug bounty program, but the exclusion of services like Instagram is less easily explained.

Facebook offered more information about the Data Abuse Bounty Program in a separate FAQ page. The company said that researchers will be paid at least $500 for any submissions on which it acts, and that rewards are based on "a variety of factors, including (but not limited to) impact, data exposure, number of affected users, and other factors." The maximum appears to be $40,000--the same as its bug bounty program.

A Good (Albeit Rushed) Start

The Data Abuse Bounty Program was clearly born of desperation. Facebook wants to assure its billion-plus users that the Cambridge Analytica scandal won't happen again. (See the check list above.) But the program’s swift, scandal-driven introduction doesn’t reduce its potential impact on Facebook users’ privacy. Other companies that manage widely used platforms might actually want to follow Facebook’s lead in encouraging researchers to investigate the apps that collect information via their services

Many large companies encourage developers to build on top of their platforms, whether it's via whole-scale integration or simple login support. Twitter and Google are the most similar to Facebook in that their platforms are used by countless apps. Rarely do people stop to think about all the apps that have access to their Twitter, Google, or Facebook data, even though Cambridge Analytica showed how easy it can be to exploit.

Consumers shouldn't and can't be expected to investigate every app or service they encounter. It's up to the companies running these platforms to make sure everything is on the up-and-up, and to independent researchers to suss out when the platform makers have shirked their responsibilities. If that requires these companies to grease a few palms via programs like Facebook's, well, they should just grease away.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • stdragon
    FB is a blackhole. Avoid the event horizon.

  • Non-Euclidean
    FB is an intelligence test which billions have failed and continue to do so
  • jaexyr
    That's funny
  • zahoome
    Can I report Facebook itself?
  • Giroro
    ""reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen, or used for scams or political influence.""

    So... I can earn $500 for telling Facebook that the Facebook app is working normally?
  • dextermat
    Mega corp are just so insulting. Too little too late. The only real winners in a lawsuits are the blood sucking lawyers.
  • redgarl
    Did they hire the same PR firm that CTS-labs used? The diagrams convention is just so similar.