Meta expands bug bounty programme to cover data scraping

The move comes two years after a massive scraping incident on Facebook that resulted in data leaking online

A smartphone lying on a laptop displaying the Meta company logo

Meta has expanded its bug bounty programme to include flaws that lead to data scraping in a move it's describing as an industry-first.

The programme will now cover database scraping and also offer rewards for researchers who can simply show novel methods of scraping on its products - the latter of which is a first-of-its-kind programme, according to the newly rebranded parent company of Facebook.

It will begin as a private programme only available to Meta's Gold+ HackerPlus security researchers - a title for researchers who have reported at least five valid bugs to the company - and will offer rewards to those who show how data scraping can be achieved, regardless of the degree of impact on the product.

Researchers can submit methods even if the data is public and Meta said it's particularly looking for reports regarding logic bypass issues - flaws that permit access to data via unintended mechanisms.

Data scraping can be achieved using specially crafted scripts, often using the Python programming language, which are designed to lift the data from any given web page. These scripts can be designed to grab specific information, depending on the target and the purpose of the activity.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

"We know that automated activity designed to scrape people’s public and private data targets every website or service," said Meta in an announcement.

"We also know that it is a highly adversarial space where scrapers - be it malicious apps, websites or scripts - constantly adapt their tactics to evade detection in response to the defences we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform."

The move comes more than two years after the company formerly known as Facebook first identified an issue that allowed users to scrape data of 533 million of its users. The data was leaked online, in full, by a hacker earlier this year after they ran an underground business that saw people pay small sums to access and retrieve information such as users' phone numbers.

Meta has said it will also reward researchers who can demonstrate they can scrape datasets containing at least 100,000 Facebook user records, starting today.

To be eligible for a reward, the dataset must be unique and unknown to Meta, and contain personally identifiable information (PII) such as email addresses, phone numbers, physical addresses, or religious or political affiliations.

"If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed," the company said.

The maximum reward for the programme is not disclosed by Meta, but it said each successful, eligible disclosure will be rewarded with the bare minimum of $500 (£376).

Database scraping is often confused with a data breach and it represents an interesting differentiation of the two terms, despite the outcome largely being the same - user data falling into the hands of those with whom the user did not explicitly share.

Unlike data breaches, which fall under the Computer Misuse Act, there is no specific law against data scraping in the UK. However, sites can take action against individuals if the data scraping results in an infringement of intellectual property or breaches the site's terms of service.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022