Facebook is launching a loyalty program for white hat hackers alongside a description language designed to standardize the process of reporting bugs. The Facebook Bug Description Language (FBDL) is rolling out for all security researchers today after being made available to a handful of participants as part of an alpha program earlier this year.
FBDL is designed to help security researchers from all backgrounds and languages easily communicate and set up bug reproduction steps using a standard description language.
The social networking giant first launched a bug bounty program back in 2011, and it has since paid out nearly $10 million in rewards to security researchers who find glitches in its software. To incentivize more engagement from the “ethical hacker” community, Facebook is now introducing Hacker Plus, a program that offers performance-based rewards, including bonuses, all-expenses paid trips to special events, and early access to stress-test new products and features.
Hacker Plus adopts a league-based setup with five divisions, from the entry-level Bronze league to the top Diamond league. Someone in the Bronze league can receive 5% on top of each bounty award, while a researcher in the Diamond league can get 20% and paid trips to live hacking events.
Security researchers will be automatically placed into leagues based on the quality and quantity of their bug submissions over the past 24 months. This includes their “signal-to-noise” ratio, or the number of valid vulnerabilities that have been identified and resolved versus submissions that are duplicates or not “real” bugs. Moving forward, Facebook said it will “regularly evaluate” league positions by analyzing researchers’ performances over the preceding 12 months, meaning hackers can move up and down the ladder.
While there is no way to opt out of the program, individual league positions are kept private unless a researcher chooses to share their status on their Hacker Plus profile. But it’s easy to see how this could become addictive, given the way it gamifies bug hunting, encouraging researchers to pit their wits against their peers and earn new profile badges as they advance.
The bug bounty market has risen steadily over the past decade, with most of the big tech companies now offering some form of reward structure for anyone uncovering vulnerabilities. Google, for example, paid out $6.5 million last year — almost double the amount it paid in the previous year — taking its total bounty payouts since 2010 to $21 million. And Microsoft recently announced it had shelled out $13.7 million in the past year, around 3 times more than in the previous 12 months.