Meta is expanding its bug bounty program to reward researchers who report data scraping. The change will allow researchers to report both errors that could enable scraping activity, as well as previously scraped data that has already been posted online.
In a blog post, Meta says it believes it was the first to launch a bug bounty program to specifically target scraping activity. “We’re looking to find vulnerabilities that enable attackers to bypass scraping restrictions to gain access to data on a larger scale than we initially intended,” Dan Gurfinkel, director of security engineering, told Reports during a briefing.
Data scraping differs from other “malicious” activities that Meta tracks in that it uses automated tools to collectively collect personal information from user profiles, such as email addresses, phone numbers, profile pictures, and other details. Although users often willingly share this information on their public Facebook profiles, scraping tools can expose these details more broadly, such as by posting the information to searchable databases.
It can also be difficult for Meta to combat this activity. For example, in April the personal information of more than one Facebook user was posted in a forum. In this case, the actual data mining had happened years ago, and the company had already addressed the underlying flaw. But there wasn’t much that could be done once the data was traded online. In some cases, the company has personnel to extract the data.
Under the new bug bounty program, researchers will be rewarded for finding “unprotected or public databases containing at least 100,000 unique Facebook user records with PII.” [personally identifiable information] or sensitive data (such as email, phone number, physical address, religious or political affiliation). Instead of its usual payments, Meta says it will donate to a charity of the researcher’s choice in order not to incentivize the publication of the stolen data.
For bug reports that can lead to data scraping, researchers can choose between a donation or a direct payment. Meta says that each bug or dataset qualifies for a prize of at least $500.
All products recommended by Engadget are handpicked by our editorial team, independently of the parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.