Meta Expands Bug-Bounty Program to Include Data Scraping

Meta, recently rebranded from Facebook, today announced the expansion of its bug-bounty and data-bounty programs to reward valid reports of so-called scraping bugs and scraped databases with monetary compensation and matched charity donations, respectively.

The move is meant to address the risk of attack activity designed to scrape public and private data, which poses a threat to all kinds of websites and services. Scrapers such as malicious apps, websites, and scripts are constantly being updated to evade detection; the idea here is to make the process harder and more expensive for attackers, explained Dan Gurfinkel, security engineering manager, in a blog post.

The programs will start as a private bounty track for Meta’s Gold+ HackerPlus researchers. The company will reward reports of scraping methods, even if the targeted data is public, he noted. Its goal is to find bugs that allow attackers to bypass scraping limitations and access data at a larger scale than a product intended.

“Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute,” he wrote. To the best of the company’s knowledge, this is the industry’s first data-scraping bug-bounty program.

Lack of proper rate limiting is currently included in the program’s scope, Gurfinkel continued, but its terms don’t allow hackers to automate data access and collection. Meta is encouraging research into logic bypass issues that could enable attackers to access information through untended mechanisms, even if proper rate limits are in place.

Starting Dec. 15, Meta’s bug-bounty program will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information (PII) or sensitive data, such as email addresses, phone numbers, physical addresses, or religious or political affiliations.

“The reported dataset must be unique and not previously known or reported to Meta,” Gurfinkel wrote. “We aim to learn from this effort so we can expand the scope to smaller datasets over time.”

If it’s confirmed that PII was scraped and is available on a website outside Meta, the company says it will “work to…