Facebook Can't Police Itself, So It Set Up a Bounty Hunter Program

If you have proof that an app is selling data from Facebook users, Facebook will pay you for it, the company announced Tuesday. It’s the latest in a series of moves by the company in the midst of the biggest scandal in its history. Whenever data that was legitimately collected is sold, stolen, or transferred to another company without authorization from Facebook, it’s fair game for a bounty that begins at $500.

Facebook’s Head of Product Security Collin Green published a blog post announcing its bounty hunter program, officially called the Data Abuse Bounty Program, an incentive-based system that rewards whistleblowers who have first-hand evidence of apps behaving badly.

The reasons Facebook has started the bounty hunter program are varied, but primarily they stem from a system that was easily corruptible and lightly policed.

It’s the latest step to enact checks and balances following its failure to police Cambridge Analytica, the UK firm that sold data to political campaigns it collected via a personality quiz operated on the platform.

Facebook founder Mark Zuckerberg attempted to defend his company last month, saying it had received certifications from Cambridge Analytica that it had destroyed the data.

“As far as we understood there was no data out there,” Zuckerberg said in a CNN interview on March 21 (video above). “I don’t know about you, but I’m used to, when people legally certify they’re going to do something, that they do it.”

But Cambridge Analytica didn’t destroy the data in 2015; it instead sold it to various Republican campaigns.

The personal information of 87 million users was eventually sold, Facebook announced, burying the news at the bottom of a blog post last week.

In theory the program will afford Facebook the ability to deal with app policy abuses head-on. It might also allow them to avoid the media spotlight when they do.

An FAQ page for the program spells out how much money one could expect to make:

Q: How much can I expect to make?

A: Cases that prove to be true can get a reward starting at $500 minimum. We determine bounty amounts based on a variety of factors, including (but not limited to) impact, data exposure, number of affected users and other factors. The higher the impact and/or number of affected users, the higher the bounty. For our security bug bounty program whose pricing model this program copies we have paid upwards of $40,000.

The bounty hunter program may come up on Tuesday when Zuckerberg will testify before the U.S. Senate Committee on the Judiciary, Senate Committee on Commerce, Science, and Transportation. The hearing starts at 2:15 p.m. Eastern.

To be eligible for a data abuse bounty, Facebook has laid out the terms, including that the egregious incident in question will have to have effected more than 10,000 users. “Malware or mass-scale tricking of users to install apps” and cases involving Instagram won’t count for now, but Facebook says that the program is new and evolving.

When reports are filed, Facebook says it will investigate and respond with a lump sum reward based on the “impact, data exposure, number of affected users and other factors,” according to the bounty terms.