Mark Zuckerberg

Facebook Offers New Bug Bounty – But Will This Help?

facebook security

Facebook is trying very hard to gain back the trust they lost from their users.  I mean, I can’t blame them for wanting to improve their image, but I do wonder if it’s going to make a difference in the long run.  In their most recent attempt, Facebook is introducing a new Data Abuse Bounty program that will reward people up to $40,000 if a data abuse breach has been found.  On one hand, I want to say that this is great news, but on the other hand, I just wonder if it’s all for show? And more of a way to appease users, rather than doing some good.

The program will reward people with first-hand knowledge and evidence of a Facebook app abusing and violating any of Facebook’s policies or is selling user data to third-parties.  What’s interesting about the bounty is that it was launched in advance of Mark Zuckerberg’s testimony before the Senate Judiciary Committee.  Which is why I think this is just a way to appease users, and it’s not an actual strategy.  But on that line of thinking – is it even a good strategy?

facebook

Yes, and no.  Yes because it helps them to be able to identify these bugs, and then be able to fix them.  But no, because who knows how long they’ve been exposed in the first place?  It’s possible that the bug could have left you exposed for two years before anyone notices it, and what’s the plan then?  I guess my concern is that Facebook isn’t able to bring people in who are able to do this testing.  I’m not saying that Facebook can’t outsource this type of service, but I do wonder why it can’t be done in-house?  Is it a talent attraction type thing?  I simply mean that this is a huge issue for them, so why leave it up to people outside of the organization.

I think I’m overlooking something, don’t you?   Facebook launched this bounty program as a way to get people to report bugs that could lead to data breaches.  That’s great.  But what does this have to do with the Cambridge Analytica situation?  In that instance, Facebook gave Cambridge Analytica the data.  They had permission to take it.  They didn’t necessarily have your permission, but they had permission from Facebook to be able to take it.  That’s not a data breach.  That’s handing over sensitive information.  So why is this part of Facebook’s plan?

facebook

In general, I think any bug bounty program is great, and this one is no different.  But Facebook has a ton of other issues they need to deal with.  What happened with Cambridge Analytica wasn’t as a result of a bug. I would have more sympathy for them if it was, I think.  This was deliberate.  This was Facebook, giving away user data.  There’s no going back from that.  There is no amount of PR in the world to help persuade me otherwise.  The facts are the facts, and now that you have them, what will you do with your Facebook account?