Facebook has announced its plans to expand its bug bounty program to include issues of app developers misusing users’ data.

DevOps Connect:DevSecOps @ RSAC 2022

On 26 March, Facebook’s director of product partnerships Ime Archibong made public the social network’s intention to reward researchers for spotting instances of data misuse by app developers. The change is expected to take effect in the spring of 2018.

This modification of its vulnerability disclosure framework (VDF) is just one of the modifications Facebook is introducing after reports of data misuse on the platform made national headlines. To squelch similar abuses from occurring in the future, the social network has already modified the terms by which third-party apps can obtain access to a user’s list of friends. The Menlo Park social media giant will now review all requests for that user_friends permission and will look into what app developers intend to do with that data if granted the right to view it.

In the coming months, Facebook aims to review “all apps that had accesjs to large amounts of information before we changed our platform in 2014 to reduce data access,” writes Archibong. It will then conduct a full audit of any suspicious apps identified in the investigation. If it decides to remove any app for data misuse, Facebook will inform the community of this.

At the same time, the social networking company wants to make it easier for users to control the data they share with apps and to require heightened terms for business-to-business applications.

Archibong has high hopes for these alterations to the platform. As he explains in his blog post:

We know these changes are not easy, but we believe these updates will help mitigate any breach of trust with the broader developer ecosystem. Facebook would like to thank you and the entire global developer community (Read more...)