This is news for all researchers, hackers and developers. Now the lot of you can earn money by doing what you do best, search for vulnerabilities in sites and programs such as Facebook, Mozilla and PayPal. The first company to ever introduce this idea to the masses was Mozilla and soon after, Google followed suit. Facebook was the next in line. All these major shareholders of today's internet services began offering $500 worth of bounty ages ago. As the time passed, they too have increased their rewards paying as much as $3000 and above.
Facebook has started to follow in the footsteps of Mozilla and Google by launching a "bug bounty" program where people who find and report bugs and vulnerabilities can cash in on them. The "Responsible Disclosure Policy" program, through which researchers and developers can report flaws in the website, can reward up to $500 and above.
According to Facebook;
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
Bugs that you can submit to Facebook:
1. Cross-Site Scripting (XSS)
2. Cross-Site Request Forgery (CSRF/XSRF)
3. Remote Code Injection
4. Broken Authentication (including Facebook OAuth bugs)
5. Circumvention of Platform permission model
6. A bug that allows a third-party to view private user data
Basically, anyone can cash into this opportunity but to qualify you must:
1.Be the first person to privately report the bug
2. Reside in a country not under any current US sanctions
3. Must abide to the Responsible Disclosure Policy and
4. The bug found could potentially compromise the integrity or privacy of Facebook user data.
The following would lead to disqualification in the bug bounty program:
1. Denial-of-service vulnerabilities
2. Spam and social engineering techniques and
3. Bugs in third-party apps and websites and Facebook's corporate infrastructure.
To submit your report click here.
According to Facebook;
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
Bugs that you can submit to Facebook:
1. Cross-Site Scripting (XSS)
2. Cross-Site Request Forgery (CSRF/XSRF)
3. Remote Code Injection
4. Broken Authentication (including Facebook OAuth bugs)
5. Circumvention of Platform permission model
6. A bug that allows a third-party to view private user data
Basically, anyone can cash into this opportunity but to qualify you must:
1.Be the first person to privately report the bug
2. Reside in a country not under any current US sanctions
3. Must abide to the Responsible Disclosure Policy and
4. The bug found could potentially compromise the integrity or privacy of Facebook user data.
The following would lead to disqualification in the bug bounty program:
1. Denial-of-service vulnerabilities
2. Spam and social engineering techniques and
3. Bugs in third-party apps and websites and Facebook's corporate infrastructure.
To submit your report click here.
Bugs and vulnerabilities that you can submit to Google:
1. .google.com
2. .youtube.com
3. .bloggers. com
4. .orkut.com
Bugs that you can submit to Google:
1. Cross-site scripting
2. Cross-site request forgery
3. Cross-site script inclusion
4. Flaws in authetication and authorization mechanisms
5. Server-side code execution or command injection bugs.
The following would lead to disqualification in the bug bounty program:
1. Attacks against Google corporate infrastructure
2. Social engineering and attacks on physical facilities
3. Brute-force denial of service bugs
4. SEO techniques
5. Vulnerabilities in non-web applications
6. Vulnerabilities in Google-branded services operated by third parties.
Reward Amounts offer by Google:
| | Other highly sensitive services [1] | Normal Google applications | Non-integrated acquisitions and other lower priority sites [2] | |
| Remote code execution | $20,000 | $20,000 | $20,000 | $5,000 |
| SQL injection or equivalent | $10,000 | $10,000 | $10,000 | $5,000 |
| Significant authentication bypass or information leak | $10,000 | $5,000 | $1,337 | $500 |
| Typical XSS | $3,133.7 | $1,337 | $500 | $100 |
| XSRF, XSSI, and other common web flaws | $500 - $3,133.7 (depending on impact) | $500 - $1,337 (depending on impact) | $500 | $100 |
You can send your report to security@google.com.
