Bug hunters never had it so good. As it stands, Google routinely pays sizable sums for bringing security flaws to its attention, and following suit is Facebook. The social networking site posted a "Security Bug Bounty" page in which it details rules and awards for tracking down "qualifying security bugs." A typical bounty is $500, though if you find a particularly juicy one, Facebook says it will consider increasing the payout. Ready to go bug hunting? Here's what you need to know.
To be eligible for a payout, you have to adhere to Facebook's Responsible Disclosure Policy, which essentially asks that you give Facebook "reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research." You also have to be the first to report a bug and reside in a country not under any current U.S. Sanctions.
Facebook's bounty applies to specific bugs "that could compromise the integrity or privacy of Facebook user data," including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), and Remote Code Injection. Some exclusions apply, all of which you can read here.