On Friday 29 July, social networking giant Facebook Inc. announced a program that pays people to find holes in its security system. Compensation will start at $500 and so far, no financial ceiling has been set.
You must be the first person to report a specific bug; no bounties for an error are given out twice. Facebook notes that some who submitted security errors in the past — who received little compensation other than maybe a t-shirt — were brought on to the Facebook security team.

In Facebook’s typical menacing-and-friendly-at-the-same-time sort of way, the company states, “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

“Typically, it’s no longer than a day” to fix a bug, Facebook Chief Security Officer Joe Sullivan told Cnet in a conference call. Only participants who legally agree to Facebook’s Responsible Disclosure Policy (which states that they will not publish or make available any of their findings), will be allowed to participate.

Facebook has said that it will allow registered researchers, as they are being called, to set up test accounts so they don’t have to worry about their own when going to work. Also, there are exceptions to what Facebook will pay for: Security bugs in third-party apps, third-party websites that integrate with Facebook, Facebook’ corporate infrastructure, denial of service vulnerabilities and spam or social-engineering techniques or methods are all excluded or will not be treated.