Tuesday, January 3, 2012

Facebook gives Visa debit cards to white-hat hackers

In a bid to encourage researchers to report security bugs, social networking giant Facebook is giving out a unique reward to these bug hunters: a debit card.

The customized Visa debit card works just like a credit card with Facebook adding more money to the account as the bearers report more bugs, tech site CNET said.

"Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them. Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook,'" CNET quoted Ryan McGeehan, manager of Facebook's security response team, as saying in a recent interview.

Other advantages of the card may include serving as a pass to get into a party, McGeehan said. "We're trying to be creative," he added.

CNET reported Facebook has plans to leverage the knowledge and skills of the researchers beyond just bug bounty.

"Whenever possible we're going to try to load-in White Hat researchers into products early, as soon as (they are) in production," McGeehan said.

This way, he said Facebook "will get an early warning on anything they find."

The CNET report said this was Facebook's way of doing something special for those who help it keep hackers and malware out.

Researchers who report security bugs that are eventually confirmed can make a minimum of $500, but have to follow Facebook's Responsible Disclosure Policy and not go public with the vulnerability information until the hole has been fixed.

McGeehan said the most Facebook has paid out for one bug report is $5,000. He said at least 81 researchers have received payments for reporting bugs.

Facebook's program for rewarding bug hunters, launched last July, followed in the footsteps of software maker Mozilla and search giant Google.


For charity

McGeehan said Facebook had even agreed to a researcher who donated a $2,500 bounty to charity and asked Facebook to match it.

CNET said Charlie Miller, a researcher at Accuvant who had found holes in Apple Inc.'s iOS 5 and Safari, has also received a White Hat card.

But Szymon Gruszecki, a Polish security researcher and penetration tester, told security blogger Brian Krebs he has asked Facebook to send his earnings another way.

Krebs quoted Gruszecki as saying using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward. The Facebook team sent me the card only as a souvenir,” he said.

Neal Poole, another researcher who reported flaws to Facebook, Google and Mozilla, may get a job at Facebook, working with the company’s security team.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon. It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target,” he said. (report from TJD, GMA News)