Facebook is launching a new loyalty program for white-hat hackers, alongside a new description language designed to standardize the process for reporting bugs.
The Facebook Bug Description Language (FBDL) is rolling out for all researchers starting today, after it was initially made available to a handful of researchers as part of an alpha program earlier this year.
In a nutshell, FBDL is designed to help researchers from all backgrounds and languages easily communicate and set up bug reproduction steps using a standard description language.
The social networking giant first launched a bug bounty program way back in 2011, and in the intervening years it has paid out nearly $10 million in rewards to security researchers who find glitches in the company’s software. To incentivize more engagement from the “ethical hacker” community, Facebook is now introducing Hacker Plus, a program that offers performance-based rewards including bonuses, all-expenses paid trips to special events, and early access to stress-test new products and features.
Hacker Plus adopts a league-based setup with five divisions, starting from the entry-level Bronze league all the way up to the top Diamond league. Someone in the Bronze league can receive 5% on top of each bounty award, while someone in the Diamond league can receive 20% and paid trips to live hacking events.
Security researchers will be automatically placed into leagues based on the quality and quantity of their bug submissions over the past 24 months. This includes their “signal-to-noise” ratio, which means the number of valid vulnerabilities that have been identified and resolved, versus submissions that are duplicates or not “real” bugs. Moving forward, Facebook said that the company will “regularly evaluate” league positions by analyzing researchers’ performances over the preceding 12 months, meaning that hackers can move up and down the ladder.
While there is no way to opt out of the program, the individual league positions are private to each researcher unless they choose to share it publicly on their Hacker Plus profile. But it’s easy to see how this could become addictive, given the way it gamifies bug-hunting and encourages researchers to pit their wits against their peers and earn new profile badges when they advance to a higher league.
The bug bounty market has risen steadily year-on-year over the past decade, with most of the big technology companies now offering some form of reward structure for finding vulnerabilities. Google, for example, paid out $6.5 million last year, almost double the amount it paid out the previous year, taking its total bounty payouts to $21 million since 2010. Microsoft, on the other hand, recently announced that it had doled out $13.7 million in the past year, around three times the figure on the previous 12 months.
Dedicated bug bounty platforms are also coining it in too, with San Francisco-based Bugcrowd recently securing $30 million in financing, which followed shortly after Hackerone’s $36.4 million raise.
You can’t solo security
COVID-19 game security report: Learn the latest attack trends in gaming. Access here