Meta extends bug bounty program to reward scraped data discoveries

Meta is expanding its bug bounty program to reward researchers who report data scraping. The change will allow researchers to report bugs that could enable scraping activity as well as previously scraped data already published online.

In a blog post, Meta says it believes it is the first to launch a bug bounty program specifically targeting scraping activities. “We’re looking for vulnerabilities that would allow attackers to bypass scraping restrictions to access data at a larger scale than we originally intended,” Security Engineering Manager Dan Gurfinkle told a briefing.

Data scraping is different from other “malicious” activities Meta-tracks because it uses automated tools to massively collect personal information from user profiles, such as email addresses, phone numbers, profile pictures and other details. While users often like to share this information on their public Facebook profiles, scrapers can publicize these details more widely, such as publishing the information in searchable databases.

It can also be difficult for Meta to combat this activity. In April, for example, the personal information of more than 500 million Facebook users was published on a forum. In that case, the actual data scraping would have happened years earlier and the company had already addressed the underlying flaw. But there was little it could do once the data started circulating online. In some cases, the company has also sued individuals for data scraping.

Under the new bug bounty program, researchers will be rewarded for finding “unprotected or overtly public databases containing at least 100,000 unique Facebook user records containing PII.” [personally identifiable information] or sensitive data (e.g. email, phone number, physical address, religious or political affiliation).” In lieu of the usual payouts, Meta says it will donate to a charity chosen by the researcher so as not to encourage the publication of scraped data.

For reports of bugs that could lead to data scraping, researchers can choose between a donation or an instant payout. Meta says any bug or dataset is eligible for a prize of at least $500.

All products recommended by Engadget have been selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Stay tuned for more such real estate news and updates at

Leave a Comment