Facebook Cracks Down On Data Misuse With Expanded Bug Bounty Program

Facebook said in the coming weeks it will expand its bug bounty program in an attempt to crackdown on data misuse by third-party app developers.

The company’s bug bounty program, first started in 2011, prompts researchers to find vulnerabilities on the social media platform – but now will be expanded to focus more on data related issues as Facebook steps up its initiatives around privacy policies.

“Facebook’s bug bounty program will expand so that people can also report to us if they find misuses of data by app developers. We are beginning work on this and will have more details as we finalize the program updates in the coming weeks,” wrote Ime Archibong, VP of platform partnerships at Facebook, in a post on the Facebook for Developers blog.

As of now, Facebook’s information page detailing its bug bounty program, last updated Dec. 21 2017, does not include any information about data misuse. The guidelines currently list third-party apps as “out of scope”: “Security issues in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com)….are not managed by Facebook and do not qualify under our guidelines for security testing.”

The company did not comment further about the expanded program beyond the post on the Facebook for Developers blog.

Facebook hopes its changes to the bug bounty program will “maintain the trust people place in Facebook when they share information.” That rings especially true on the heels of a data scandal that has rocked the company over the past few weeks, where a third-party application handed over the data of up to 50 million platform users to controversial political consulting company Cambridge Analytica.

In addition to expanding its bug bounty program, Archibong said in the post it will take an array of further steps in response to the Cambridge Analytica incident, including conducting an in-depth review of the platform and all apps that had a large amount of information. Facebook is also doubling down on transparency around how it manages data policies and misuse, committing to informing users if an app is removed for data misuse; encouraging heightened terms for business to business third party applications; and encouraging users to manage the apps that they currently use.

“We know these changes are not easy, but we believe these updates will help mitigate any breach of trust with the broader developer ecosystem. Facebook would like to thank you and the entire global developer community for working with us to create a better experience for people,” according to Archibong’s post.

Facebook has been grappling with the fallout from the Cambridge Analytica scandal, with users questioning its policies around third-party app security as well as data management and misuse.

The Federal Trade Commission on Monday announced it is launching an investigation into Facebook’s data privacy practices. Meanwhile, a wave of politicians have called on Facebook to enforce privacy policies to protect user data, with business leaders, from Elon Musk to Whatsapp co-founder Brian Acton joining in on a #DeleteFacebook campaign via social media against the company.

Already, the company said it has paused reviews of apps while it implements new changes to its platforms. In addition, Facebook has changed its policies so that apps that want to access data about users’ friends must get “extended permission” requiring Login Review.

Craig Young, security researcher for Tripwire, said that Facebook’s steps to get a foothold on data misuse on its platform, including the expanded bug bounty program “make a lot of sense.”

“By expanding their bounty program to include data misuse by app developers, Facebook may have found a way to mobilize their community to self-police,” he said in an email. “It will be interesting to see if this if spurs new bug bounty participation including people less technical than the typical bug hunter.”

Click here for full coverage from Threatpost on Facebook’s data and privacy policies.