Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.
I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.
Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.
“I regularly report Web app vulnerabilities to various companies [that don’t offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.
The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.
As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.