Meta (formerly Facebook) has announced that it is expanding its bug bounty programme to start rewarding valid reports of scraping vulnerabilities across its platforms.
Under the programme, researchers will be rewarded for finding “unprotected or openly public databases containing at least 100,000 unique Meta user records with PII (personally identifiable information) or sensitive data.
The main goal of this programme is to find bugs that attackers are utilising to bypass scraping limitations in order to access data at a greater scale than is intended in its products.
“We know that automated activity designed to scrape people’s public and private data targets every website or service,” Meta says in its announcement. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites, or scripts — constantly adapt their tactics to evade detection in response to the defences we build and improve.”
Financial rewards starting at $500 are on offer for scraping bugs and scraped database reports will be matched with charity donations.
The company said it will also contact hosting providers such as Amazon Web Services, Box, and Dropbox as appropriate to have the scraped information removed from their platforms.
Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk.
Since the launch of its bug bounty program in 2011, Meta has paid more than $14 million in bug bounties and received more than 150,000 reports, of which more than 7,800 were awarded a bounty.
So far this year, the company awarded more than $2.3 million to researchers from 46 countries.
