Facebook is offering a $40,000 bounty if you find the next Cambridge Analytica

Key Points
  • Facebook is launching a data abuse bounty program to ask its users to help it find companies using unauthorized data.
  • It will pay from $500 to upward of $40,000 for substantiated cases.
  • Only Facebook is included in the program at this time, not other platforms like Instagram.
Facebook is offering a $40,000 bounty if you find the next big data leak
Facebook is offering a $40,000 bounty if you find the next big data leak

Facebook will pay upward of $40,000 to people who catch large data leaks.

The company announced a bounty program on Tuesday which would reward people who find cases of data abuse on its platforms. Payouts start at $500, and people can receive more than $40,000 for big discoveries. The data abuse program is the first of its kind in the industry.

"It will help us find the cases of data abuse not tied to security vulnerability. ... This will cover both hemispheres, and help surface more cases like Cambridge Analytica so we can know about it first and take action," Facebook's chief security officer, Alex Stamos, told CNBC.

Cases that are brought to Facebook's attention and submitted with evidence will be vetted by its bug and data abuse bounty team. The company will investigate the report and decide what action to take. Possible scenarios include shutting down the app, suing the data leaker or conducting an onsite audit of the company selling or buying unauthorized data.

The company currently has 10 people on the bug bounty team, but plans to hire more people and involve other teams in order to investigate substantiated claims.

To be eligible, the case must involve at least 10,000 Facebook users, show how data was abused (not just collected) and Facebook must not have been aware of that specific issue before. Companies that scrape data, anyone who uses malware to get people to install apps, social engineering projects and non-Facebook cases on its other platforms like Instagram are not eligible. It is open to expanding the program down the road.

"A door is always open if a whistleblower wants to say there's something sketchy here," Facebook's head of product security, Collin Greene, said to CNBC.

Facebook first announced its intention to launch a data abuse bounty program in late March in response to the Cambridge Analytica data leak scandal. The data analytics firm was able to use unauthorized data from a psychology quiz intended for academic purposes only to target potential voters during the 2016 U.S. presidential election. Cambridge Analytica and the creator of the app, Aleksandr Kogan, have denied the accusations.

The data abuse bounty program is based off its current bug bounty program, which pays people who find security flaws on its platforms. Faecbook pays out over $1 million on average a year in bug bounties, executives said.