Facebook is launching a loyalty program for white hat hackers as well as a description language to standardize the error message process. Facebook Bug Description Language (FBDL) launches for all security researchers today, after being made available to a handful of attendees as part of an alpha program earlier this year.
FBDL is designed to help security researchers from all backgrounds and languages easily communicate and set up bug replication steps using a standard description language.
The social networking giant started a bug bounty program back in 2011 and has since paid out nearly $ 10 million to security researchers who found bugs in its software. To encourage engagement in the “ethical hacking” community, Facebook is now introducing Hacker Plus, a program that offers performance-based rewards, including bonuses, paid travel on special occasions, and early access to stress-test products and features.
Hacker Plus uses a league-based setup with five divisions, from the entry-level bronze league to the top diamond league. Someone in the Bronze League can get 5% on top of any bounty bonus, while someone in the Diamond League can get 20% and paid travel to live hacking events.
Security researchers are automatically categorized into leagues based on the quality and quantity of their bug posts over the past 24 months. This includes the signal-to-noise ratio, or the number of valid vulnerabilities that have been identified and corrected, compared to submissions that are duplicate or not “real” errors. Going forward, Facebook will “regularly rate” the league’s position by analyzing researchers’ performance over the past 12 months. This means that hackers can move the ladder up and down.
Although there is no way to opt out of the program, individual league positions are kept private unless a researcher shares their status on their Hacker Plus profile. But it’s easy to see how this can be addicting when you consider how it makes troubleshooting playful and encourages researchers to play their wits against their peers and earn new profile badges over time.
The bug bounty market has grown steadily over the past decade. Most of the big tech companies now offer some kind of reward structure for anyone who exposes vulnerabilities. For example, Google paid out $ 6.5 million last year – almost double what it was last year – and has increased its total bounty payouts to $ 21 million since 2010. And Microsoft recently announced that it spent $ 13.7 million last year, roughly three times more than in the past 12 months.
Dedicated bug bounty platforms are participating, and San Francisco-based Bugcrowd recently raised $ 30 million in funding shortly after HackerOne raised $ 36.4 million.
You can’t solo the COVID-19 gaming security report: learn about the latest gaming attack trends. Access here