Facebook hands out White Hat debit cards to hackers

Elinor Mills

by Elinor Mills December 31, 2011 10:49 AM PST
This is the Visa debit card Facebook is giving to some security researchers for reporting bugs.

This is the Visa debit card Facebook is giving to some security researchers for reporting bugs.

(Credit: Facebook)

A few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check. Some security researchers are getting a customized “White Hat Bug Bounty Program” Visa debit card.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out.

“Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, manager of Facebook’s security response team, told CNET in a recent interview. “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.’”

Besides holding cash value, the White Hat card may proffer other advantages. “We might make it a pass to get into a party,” for instance, McGeehan said. “We’re trying to be creative.”

Facebook launched its bug bounty program in July, following in the steps of Mozilla and Google. The minimum a researcher can make for reporting a bug that is eventually confirmed is $ 500, and there is no maximum. Researchers have to follow Facebook’s Responsible Disclosure Policy and not go public with the vulnerability information until the hole has been fixed.

The most Facebook has paid out for one bug report is $ 5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said.

Recently, “someone came to us with a bounty-worthy ticket and they said they didn’t want the bounty,” he said. Instead, the researcher wanted the money–$ 2,500–to go to a charity and for Facebook to match it. Facebook agreed, McGeehan said.

Brian Krebs, who first wrote about the White Hat Visa, reports that recipients have included Szymon Gruszecki of Poland and Neal Poole, a junior at Brown University who will be an intern at Facebook next summer.

And Charlie Miller, a researcher at Accuvant better known for finding holes in iOS 5 and Safari than Facebook, also has received a White Hat card. “Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs,” he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive.

“Whenever possible we’re going to try to load-in White Hat researchers into products early–as soon as (they are) in production,” McGeehan said. Thus Facebook “will get an early warning on anything they find.”