The company will calculate a researcher’s score by evaluating how many vulnerabilities they’ve found in the last 12 months along with their bug-to-noise ratio (submitting reports that are not bugs) in last 24 months. Based on that score, they’ll be placed in a league ranging from bronze to diamond, and that will determine how much bonus they’ll earn when they find their next bug. Apart from payment bonuses, the top two-tier, Diamond and Platinum, also get access to events such as Vegas DEFCON. Facebook is kicking off this program starting today, October 9 12:00 am UTC. The company is also awarding anyone who reaches the Diamond tier before the year-end with an Oculus Quest 2 virtual reality headset. Dan Gurfinkel, the security engineering manager at Facebook, said that this program will encourage community building and quality bug submissions. Facebook’s top tier rewards are enticing for a security researcher: more money on finding bugs, access to stress test upcoming products, tours to Facebook events and campus, and access to top company security people. All of this can lead to better job opportunities for them. However, a lot of onus lies on Facebook to judge fairly to determine what’s noise and what’s quality bug reports or submissions, and the company’s decision can lead to disputes or unrest in the security researcher community. Also, it might put pressure on researchers to keep working just on Facebook’s platform to find bugs to maintain their league. Along with this, the social network is also releasing Facebook Bug Description Language (FBDL), a tool for researchers to describe how Facebook engineers can reproduce bugs and also how much impact it might have on the system. You can learn more details about the Hacker Plus program here.
