Facebook expands bug bounty program to include ‘data misuse’

by Morgan Chalfant - 03/28/18 10:54 AM ET

Facebook will expand its security flaw reporting program to allow users to report potential misuse of data by app developers, the company’s latest reaction to massive backlash over the Cambridge Analytica controversy.

The so-called bug bounty program is designed to incentivize researchers to report security vulnerabilities on Facebook or any of its sister platforms so that the company can correct them. Researchers who successfully report security flaws are rewarded for their work.

{mosads}Facebook said in a statement that it is expanding the program to apply to individuals who report data misuse by app creators.

“Facebook’s bug bounty program will expand so that people can also report to us if they find misuses of data by app developers,” Ime Archibong, Facebook’s director of platform partnerships, said Monday. “We are beginning work on this and will have more details as we finalize the program updates in the coming weeks.”

The decision is one prong of Facebook’s efforts to address mounting concerns about user data privacy after it was revealed that data firm Cambridge Analytica accessed information on 50 million Facebook users without their consent by exploiting a survey app and later used it to boost political campaigns. The data firm, which has ties to President Trump’s 2016 campaign, has said it did nothing improper.

Facebook CEO Mark Zuckerberg has sought to stem the controversy with public apologies, saying that the company will take steps to better protect user data and limit the amount of data that apps can collect.

Meanwhile, Zuckerberg faces mounting pressure to testify before Congress on the matter.

Archibong noted Tuesday that Facebook is investigating all apps that had access to large droves of data before the company made changes to its platform in 2014 to reduce data access. The company will also inform people when apps are removed due to data misuse, he said.

“If we find developers that misused personally identifiable information, we will ban them from our platform,” Archibong said, adding that the changes are intended to “help mitigate any breach of trust with the broader developer ecosystem.”