The company formerly known as Facebook has announced an expansion of its bug bounty program to include reports of scraping vulnerabilities across its platforms, as well as of scraping data sets that are publicly available.
“We know that automated activities are designed to scrape people’s public and private data every website and service,” said Dan Gurfinkel, security engineering manager at Meta. Additionally, we know that it is a highly adversarial space, where scrapers – be they malicious applications, websites, or –target scripts – continually adjust their tactics to evade detection. As part of that effort, the social media giant intends to monetarily compensate valid reports of scraping bugs in its service as well as identify databases containing no less than 100,000 unique Facebook user records that contain personally identifiable information (PII) such as an email address, phone number, physical address, or political affiliation. There is only one caveat: the data set must be unique and not previously known.
Should the requisite criteria be met, the company said it will take appropriate measures, including legal actions, to remove the data from non-Meta websites. Additionally, it might be necessary to reach out to hosting providers such as Amazon, Box, and Dropbox to pull the data set offline, or to work with third-party app developers to address server misconfigurations. We will reward researchers who report scraped databases with matched donations to a charity of their choice.
Our goal is to identify and counter scenarios that make scraping easier for malicious actors, Gurfinkel said, adding that “we want to encourage research into logic bypass issues that can provide access to information via unintended mechanisms even if proper rate limits exist. Researchers from more than 46 countries have received over $2.3 million in bounties since the program began in 2011. Meta noted that the majority of valid reports over the past decade have come from India, the U.S., and Nepal.