It’s not uncommon for large corporations to put bounties on bugs in their software and to dole out hefty amounts of cash to security researchers who uncover them and then show the developer how to fix the problem. So when I read that Facebook had gone a step further with security bounty and released a credit card for its favorite bug hunters it made a lot of sense to me.

With this program, Facebook is following in the venerable path of Google, Mozilla, CCBill and others who see the merits of giving security researchers an outlet to discover and reveal security issues with their systems. The age old question about 0-day exploits and how to get a corporation to deal with them involves hackers successfully breaking the system and then either contacting the corporation (who in the past often roundly ignored them) and then deciding if they want to go public with it or not. The presence of a bounty on bugs reduces the likelihood that an outfit of whitehat hackers will go public and shows that the corporation in question is probably willing to get it fixed.

According to Brian Krebs, he first discovered the Facebook black card when he learned that Szymon Gruszecki had earned one. Gruszecki is a Polish security researcher who does a lot of work seeking security vulnerabilities in public-facing data corporations like those listed above and he does so for the bounty. A fairly good security researcher can make thousands of dollars a bounty for a single discovery so it’s an extremely lucrative profession.

As a social media outlet, Facebook understands reputation and they want to treat the people who help protect them from hackers well. Elinor Mills at CNET also highlights some of this thinking directly from the horse’s mouth.

“Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, manager of Facebook’s security response team, told CNET in a recent interview. “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.'”

Not only would the credit card hold cash value—filled up when bounty hounds managed to pin down a bug—but the card itself could be a badge of honor. McGeehan offered that the might use the card as a pass to enter exclusive parties.

Personally, I think that they’d better be able to release multiple black cards so that an entire research team can get into the party rather than only one. After all, while some researchers are individuals, oftentimes the bounty is shared by an entire logistics team and not just one glory hound.

According to McGeehan, the most Facebook has paid for a bounty happens to be $5,000, and this has happened several times.

Researchers who receive a bounty must follow Facebook’s Responsible Disclosure Policy and not go public until the exploit has been fixed—although I expect that Facebook makes some sort of time concession to them to prevent researchers from balking at taking money if the corporation then fails to fix it in a timely manner.

Another researcher who has received a White Hat Card is Charlie Miller, a researcher at Accuvant, who is best known for finding holes in OS 5 and Safari. He tweeted about the experience, “Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs.”

Paying bounties for bugs has become a mainstay of the industry and currently probably an excellent mechanism to show that corporations are ready and willing to deal with security researchers and shore up vulnerabilities. They are not used as bribes to quiet researchers—most of whom really want to help the corporations save face and their customers more so than just money. Cash, however, as an incentive is an excellent way to bring more good talent to the field.