Meta's bug bounty program now covers scraped data

Meta has expanded its Bug Bounty and Data Bounty programs to address scraping, an internet-wide challenge. The social networking giant is launching two new areas of research for its programs: scraping bugs and scraped databases.

"As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform. To the best of our knowledge, this is the first scraping bug bounty program in the industry," the company said on Wednesday.

Starting as a private bounty track for Gold+ HackerPlus researchers, Meta's bug bounty program will award reports about scraping methods, even if the data they target is public.

"Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute. While lack of proper rate-limiting is now included in the program’s scope, we want to particularly encourage research into logic bypass issues that can allow access to information via unintended mechanisms, even if proper rate limits exist," Dan Gurfinkel, Security Engineering Manager, wrote in a blog post.

Meta will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data (e.g. email, phone number, physical address, religious or political affiliation).

If confirmed that user PII was scraped, Meta says it will work to take appropriate measures to help ensure the issue is addressed. Alternatively, if the dataset is exposed on a hosting service, the company will make efforts with the host to take this dataset offline.

Meta will issue a minimum reward of $500 per each scraping bug or dataset. The company will issue monetary rewards for valid reports about scraping bugs while valid reports of scraped datasets will be rewarded in the form of charity donations.

For more information, head over to the official blog post.