A Closer Look At Facebook’s Data Abuse Bounty


Barely a week ago, in furtherance to Facebook commitment to curb abuse, it announced it now reward its users for reporting data abuse on its platform.

Today, we take a second look at this reward program called the “Data Abuse Bounty”.

The Data Abuse Bounty isn’t something new. It was inspired by an existing program called the bug bounty program, which provides recognition and compensation to security researchers practicing responsible disclosure and enable Facebook to uncover and address some security issues on its platform.

As announced, just like the bug bounty program, the Data Abuse Bounty program, which focuses more on how malicious apps on Facebook collects and transfers users’ data to third party to be sold, stolen or used for other purposes, including scams and political influence, will reward people who comes out with first-hand proof of such data abuse.

The reward package for data abuse will be based on each verified report. In comparison to bug reports which could pay up to $40,000 for high impact reports, Facebook has pegged a minimum payment of $500 for the Data Abuse Bounty. The determinant for payment amount will be based on impact of the abuse, data exposure, number of affected users etc. This means that the higher the impact and/or number of affected users, the higher the bounty.

Here are some other things you need to know about the data abuse bounty.

What is the goal of the Data Abuse Bounty?

Basically, to avoid another Cambridge Analytica scandal, I guess. According to Facebook, the program is a data protection measure against malicious abuse of trust by some apps. The goal is to encourage and reward user for helping Facebook identify and fix security vulnerabilities from third parties and apps that buys and sell data through other means aside those enshrined in Facebook’s terms.

The program is however a pilot program, meaning it will change as the company receives feedback from people who makes use of it.

Who is eligible to submit a report?

Only those with direct first-hand ‘technical’ knowledge of the facts showing there has been an abuse of data by an app. You cannot submit a report based on speculation.

What proof must be provided?

Required proof comes in two stages. First proof is your first-hand ‘technical’ knowledge of the reported abuse. The second proof, if your first claim scale through for investigation will include Personally Identifiable Information (PII) being abused, emails, contracts or company name.

There are six stages a reported submission must go through before rewards are paid. They are

  1. Identify Stage: malicious apps are identified by users
  2. Submit Stage: Abuse is submitted through the Data Abuse Bounty Form
  3. Vetting Stage: Facebook vets your submission
  4. Investigation Stage: Facebook gets further information and details for deeper investigation
  5. Enforce Stage: Enforcement of data abuse policy on malicious app
  6. Reward Stage: The user is rewarded

The above process is estimated to take between 3 to 6months since it would involve technical, legal and organizational efforts, which obviously differs depending on country and market.

A note of warning: Any data obtained illegally or without due authorization will not be rewarded. Also, bounty will only be paid if the impact of reported abuse affects 10,000 users and above

So there you go, lets get some feedback from you.

Facebook Data Abuse Bounty Program is a program to help protect people’s data on Facebook following revelation of the abuse of 87million users’ data by Cambridge Analytica. The program is done by incentivizing anyone to report apps collecting user data and passing it off to malicious parties to be exploited.

The Data Abuse Bounty may take actions which includes but not limited to: termination of such application from Facebook platform, Initiation of a forensic audit of related system and legal action against the company and relevant parties involved.

There are no comments

Add yours