Meta Platforms Inc. today announced a new enhancement to its bug bounty program with the launch of an industry-first bug bounty program for data “scraping” as well as offering further education opportunities for researchers.

The Meta bug bounty program will now award valid reports about scraping methods, even if the data they target is public. The program will allow Meta, previously Facebook, to find vulnerabilities that enable attackers to bypass scraping limitations to access data at a greater scale than the product intended. Doing so will allow Meta quickly to identify and counter scenarios that might make scraping less costly to execute.

In addition, Meta is also expanding its data bounty program to reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information or sensitive data such as email, phone number, physical address, religious or political affiliation. To qualify, the reported dataset must be unique and not previously known or reported to Meta.

If a database is confirmed as including PII and was scraped and exposed online, Meta will work with the relevant entity to remove the dataset or seek legal means to ensure the issue is addressed. To avoid providing an incentive for scraping activity — where a person may intentionally scape the data then present it to Meta — bounty payments for valid reports of scraped datasets will be made in the form of charity donations to nonprofits of the researcher’s choosing.

To encourage and help cultivate a more sustained interest among new and existing researchers, Meta is also expanding education opportunities, especially certain bug areas that are difficult to transition between, such as software-to-hardware bug hunting.

Meta’s annual conference, BountyCon, will include sessions run by top researchers who have practical techniques and approaches to discovering and reporting critical vulnerabilities across surfaces for other researchers to learn from. A new three-day conference, BountyConEdu, will be held next year for university students across Europe interested in learning more about the industry.

Later this year, Meta will also launch a dedicated education center to help quickly onboard bug bounty researchers onto different products and technologies so that they can cut the time it takes to hunt new areas for bugs.

Since the launch of its bug bounty program in 2011, Meta has paid more than $14 million in bug bounties and received more than 150,000 reports, of which more than 7,800 were awarded a bounty. So far this year, the company awarded more than $2.3 million to researchers from 46 countries.

Image: Pixabay