Facebook pays for security loopholes

Direct link to Facebook's bug bounty program: <a href="http://www.facebook.com/whitehat/bounty/" rel="nofollow">http://www.facebook.com/whitehat/bounty/</a><p>Mozilla (<a href="http://www.mozilla.org/security/bug-bounty.html" rel="nofollow">http://www.mozilla.org/security/bug-bounty.html</a>) and Chromium (<a href="http://dev.chromium.org/Home/chromium-security/vulnerability-rewards-program" rel="nofollow">http://dev.chromium.org/Home/chromium-security/vulnerability...</a>) have bug bounties too and I'm sure many other projects do.

£25,000 seems like small change for identifying potentially disastrous security holes.

A security professional does this money in a few hours of work, so the "prize" is not very attractive.<p>And what's interesting is that within the security ecosystem there are proven ways to win authority and reputability.

I wasn't sure from the title if the article was about:<p>1. Facebook paying security researchers to find and report vulnerabilities.<p>2. Facebook paying (in user data, public image, and lawsuits) for vulnerabilities exploited by malicious security researchers.<p>It's the former. As such, it reminds me of the "What does $1265 of bugs look like?" discussion recently at <a href="http://news.ycombinator.com/item?id=2927914" rel="nofollow">http://news.ycombinator.com/item?id=2927914</a> , where the author of open-source software paid between $1 and $50 for various bug levels. Does it make any sense for a company like Facebook to offer tiny bounties on code style, spelling errors, and harmless bugs?

"Facebook should consider setting up a "walled garden" that only allowed vetted applications from approved developers to connect to the social networking site, he said."<p>No. Just no.

I think this is working. I haven't gotten as much spam on Facebook as I did a year ago.