Facebook Announces Bug Bounty 'Loyalty Program'

Facebook's new Hacker Plus loyalty program

Facebook has announced a new loyalty program for white-hat hackers, alongside a new description language designed to standardize the process for reporting bugs.

The social networking giant first launched its bug bounty program way back in 2011, and in the intervening years it has paid out nearly $10 million in rewards to security researchers who find glitches in the company’s software. To incentivize more engagement from the “ethical hacker” community, Facebook is introducing Hacker Plus, a program that offers performance-based rewards including bonuses, all-expenses paid event invitations, and early access to stress-test new products and features.

Hacker Plus adopts a league-based setup with five divisions, starting from the entry-level Bronze league all the way up to the top Diamond league. For example, someone in the Bronze league can receive 5% on top of each bounty award, while someone in the Diamond league can receive 20% and paid trips to live hacking events.

Above: Hacker Plus program setup

Security researchers are automatically placed into leagues based on the quality and quantity of their bug submissions over the past 24 months. This includes their “signal-to-noise” ratio, which basically means the number of valid vulnerabilities that have been identified and resolved, versus submissions that are duplicates or not real bugs. Moving forward, Facebook’s security engineering manager Dan Gurfinkel said that the company will “regularly evaluate” league positions by analyzing researchers’ performances over the preceding 12 months, meaning that hackers can move up and down the ladder.

While there is no way to opt out of the program, the individual league positions are private to each researcher unless they choose to share it publicly on their Hacker Plus profile. It’s easy to see how this could become addictive, given that it essentially gamifies bug-hunting and encourages researchers to pit their wits against their peers, and earn new profile badges when they advance to a higher league.

FBDL

In addition to the new loyalty program, the company is also launching the Facebook Bug Description Language (FBDL) out of beta today, after initially rolling out for a handful of researchers as part of an alpha program earlier this year.

FBDL is a new tool designed to help researchers from all backgrounds and languages easily set up bug reproduction steps using a standard description language, making it easier to submit reports through a universal language that demonstrates their findings and potential impact.

October 09, 2020