Monday, 8 July 2013

facebook.com/whitehat

If you are a security researcher, please review our responsible disclosure policy before reporting any vulnerabilities. If you are not a security researcher, visit the Facebook Security Page for assistance.
If you believe you have found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
Responsible Disclosure Policy
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Bug Bounty Info To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Here is how it works:

Eligibility

To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy (above)
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure, such as:
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Broken Authentication (including Facebook OAuth bugs)
    • Circumvention of our Platform/Privacy permission models
    • Remote Code Execution
    • Privilege Escalation
    • Provisioning Errors
  • Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if it qualifies.

Rewards

  • Our minimum reward is $500 USD
  • There is no maximum reward: each bug is awarded a bounty based on its severity and creativity
  • Only 1 bounty per security bug will be awarded

Exclusions

The following bugs are not eligible for a bounty (and we do not recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques
  • Acquisitions have a 3 month delay before we accept submissions.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)