June 05, 2012, 1:59 PM — Can the volunteer White Hats of hacking protect the world's most popular social networking site from the Black Hats?
Ryan McGeehan, head of Facebook's security response team, apparently thinks so. In a post on the questions-and-answers site Quora last month, McGeehan wrote: "Facebook Security's bug bounty program ( launched last July) has been hugely successful so far and we've gotten great feedback from our active researchers."
He continues: "To date, we've paid out over $300,000 to 131 researchers (in 27 countries) and have one researcher coming on board as an intern this summer."
Facebook typically pays its rewards with "White Hat" debit cards. The researcher hired to work as an intern is Brown University junior Neal Poole, who as of last December had reported about a dozen vulnerabilities to Facebook, reports Brian Krebs of the blog KrebsonSecurity.
Paying bounties for bugs is not a new idea. Google launched its own program in February 2011, and announced this past February that it had paid $410,000 to friendly hackers.
[See Bill Brenner in Salted Hash: Why Boba Fett would work for Google]
Robert O'Harrow Jr. noted in a Washington Post story on zero-day attacks last week that the security firm TippingPoint began offering bounties to hacker researchers in 2005, calling it the Zero Day Initiative.
"Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero-days," O'Harrow wrote. "Starting at hundreds of dollars, the bounties soar into the tens of thousands. A hacker in Shanghai named Wu Shi has earned close to $300,000 for reporting more than 100 flaws in web browsers."
And Andy Greenberg, writing in Forbes last week, said Google has increased its maximum bounty for reporting a single bug in its web services to $20,000, more than five times its previous maximum of $3,133.70.
But is even $300,000 enough to keep promising hackers from the dark side in the long term? That apparently remains to be seen. Thousands of hackers working for mostly modest bounties to prevent cybercrime on popular sites suggest that it is.