The white hat community can now test bug hunting skills under Facebook’s new Hacker Plus loyalty program. Security researchers can leverage the newly launched Facebook Bug Description Language (FBDL) to uncover hidden, unknown bugs in Facebook applications and services. Â
After months in beta mode, Facebook debuted Facebook Bug Description Language (FBDL) to the global developer community. The company has launched a loyalty program called Hacker Plus, ‘designed to incentivize researchers with additional rewards and benefits.’ The recent announcements can be attributed to Facebook’s attempt at streamlining the bug reporting and communication process under its nearly decade-old Bug Bounty Program.
The FBDL was developed for the white hat community to easily reproduce bugs, describe and streamline communication with the company. With FBDL, bug hunters have a standardized bug description language through which developers can communicate key data points, metrics and impact of a bug on application security.Â
Under this bug bounty program, researchers can:
- Quickly create a test environment
- Submit findings effortlessly
If hackers submit verified bug reports, Facebook will:
- Accept reports seamlessly
- Reproduce bugs easily
- Relay feedback and distribute payouts instantly
This is accomplished by consolidating the bug reproduction process in a single, standardized bug description language which can be leveraged by security researchers experienced in any programming language. Moreover, FBDL will help teams at the company to make the bug reporting, reproduction, and patching process in Facebook apps and services more efficient.
See Also: Microsoft Doles Out $374K for Azure Sphere IoT Bug Hunting
Facebook also kickstarted Hacker Plus, a security-centric loyalty program to galvanize widespread adoption of the new bug reporting tool. Deemed a first of its kind initiative, Hacker Plus will qualify researchers for bonuses on bounty awards, preliminary access to Facebook products and features to stress-test, and exclusive (and all-paid) invites to Facebook’s annual events. The program assesses researchers on key parameters, such as the cumulative quantity of bug submissions, relevant scores and signal-to-noise ratio measured over the last 24 months. Researchers will be placed in five leagues or groupings — Bronze, Silver, Gold, Platinum, and Diamond. The bronze league is at the entry-level while the Diamond league is at the upper tier of the program.
Each league holds a varying bonus distribution standard among other incentives. For example, members of the Bronze league are entitled to a 5% bonus for each bounty they submit whereas those in Diamond can avail 20%. Besides bonuses, each league also entitles its members to varying levels of perks like:
- Invites to carry-out pre-launch stress-test for new features and products (Gold, Platinum, Diamond)
- Paid for invites to bug bounty events (Platinum and Diamond)
Placement of members in leagues will be automated and dependent upon the quality of submissions which security teams at Facebook will regularly assess. Researchers can move up or down in different league tiers depending upon the quality of reported bugs.
League Perks:
Image: Facebook
| League | Qualifying Criteria | Multiplier Bonus | Expanded Access to Private Bounties | Swag | Trips and Events |
| Diamond | Score > 3000
SNR > 0.6 Valid Bugs >= 10 |
0.2 | Y | Diamond Bundle |
Live Hacking Events Vegas DEFCON Facebook campus F8 |
| Platinum | Score > 2000
SNR > 0.5 Valid Bugs >= 7 |
0.15 | Y | Platinum Bundle | Vegas DEFCON |
| Gold | Score > 1000
SNR > 0.4 Valid Bugs >= 5 |
0.1 | Y | Gold Bundle | N/A |
| Silver | Score > 500
SNR > 0.3 Valid Bugs >= 3 |
0.075 | N | Silver Bundle | N/A |
| Bronze | Score > 200
SNR > 0.2 Valid Bugs >= 1 |
0.05 | N | N/A | N/A |
Â
The Hacker Plus program appears to be a gamified update to the almost decade-long Facebook Bug Bounty Program. So far, the social networking giant has paid out $9.8 millionOpens a new window in bug bounty rewards since its inception in 2011. Hacker Plus is live as of 08:00 p.m. EDT on October 9, 2020.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!