The “Data Abuse Bounty” program, which is the first of its kind in the industry, has payouts starting at $500 and going up to $40,000 for big discoveries, although the company noted that there’s no maximum amount for the payouts. “We committed to launching this program a few weeks ago as part of our efforts to more quickly uncover potential abuse of people’s information. The Data Abuse Bounty, inspired by the existing bug bounty program that we use to uncover and address security issues, will help us identify violations of our policies,” Collin Greene, Head of Product Security, wrote in a blog post, late on Tuesday. “This program will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence. Just like the bug bounty program, we will reward based on the impact of each report. While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention.” Greene further added, “We’ll review all legitimate reports and respond as quickly as possible when we identify a credible threat to people’s information. If we confirm data abuse, we will shut down the offending app and take legal action against the company selling or buying the data, if necessary. We’ll pay the person who reported the issue, and we’ll also alert those we believe to be affected.” The “Data Abuse Bounty” is motivated by the current bug bounty program that the company uses to discover and address security flaws. This would help Facebook detect violations of its policies. Facebook pays out over $1 million on average a year in bug bounties, executives said. “It will help us find the cases of data abuse not tied to a security vulnerability. … This will cover both hemispheres, and help surface more cases like Cambridge Analytica so we can know about it first and take action,” Facebook’s chief security officer, Alex Stamos told CNBC. Currently, the company’s “bug bounty team” has about 10 employees, but plans to hire more people and involve other teams in order to investigate validated claims. To be eligible, the case must involve at least 10,000 Facebook users. The bounty hunter should show how data was abused and not just collected. Further, it should be a case that Facebook is not already aware of or is actively investigating. Scenarios such as data scraping, malware or mass-scale tricking of users to install apps, social engineering projects and non-Facebook cases (ex: Instagram) are not eligible. “A door is always open if a whistleblower wants to say there’s something sketchy here,” Greene told CNBC.
