Meta expands its bug bounty program to include data scrapping

Meta (formerly Facebook) has announced that it is expanding its
to start rewarding valid reports of scraping vulnerabilities across its platforms.

Under the programme, researchers will be rewarded for finding “unprotected or openly public databases containing at least 100,000 unique Meta user records with PII (personally identifiable information) or sensitive data. The main goal of this programme is to find bugs that attackers are utilising to bypass scraping limitations in order to access data at a greater scale than is intended in its products.

In a blog post, Meta says it believes it is the first to launch a bug bounty program to specifically target scraping activity. “We’re looking to find vulnerabilities that enable attackers to bypass scraping limitations to access data at greater scale than what we initially intended,” Security Engineering Manager Dan Gurfinkle told reports during a briefing.

Financial rewards starting at $500 are on offer for scraping bugs and scraped database reports will be matched with charity donations. The company said it will also contact hosting providers such as Amazon Web Services, Box, and Dropbox as appropriate to have the scraped information removed from their platforms.

Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk.

Since the launch of its bug bounty program in 2011, Meta has paid more than $14 million in bug bounties and received more than 150,000 reports, of which more than 7,800 were awarded a bounty.

So far this year, the company awarded more than $2.3 million to researchers from 46 countries.