This has not been Facebook's proudest year for privacy and security. The company faced the massive Cambridge Analytica data misuse and abuse scandal in April and beyond. It also disclosed its first data breach in October, which compromised information from 30 million accounts. But Facebook has at least one security-focused bright spot it can point to in 2018: its bug bounty.

Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software. Anyone can send a report and, perhaps, receive a reward for helping lock down a company's systems. Welcoming bug reports was a controversial practice for decades, but Facebook's program, which launched in 2011, is one of the oldest and most mature in the industry. The bug bounty has paid out more than $7.5 million over time, including $1.1 million in 2018. And this year Facebook also paid its biggest single bounty ever, $50,000, to one of its top contributors.

The bug that garnered this windfall was in Facebook's developer subscription mechanism for notifications on certain types of user activity. Think of it as RSS for data being generated on Facebook. The researcher found that in certain situations a developer, or attacker, could have manipulated the subscriptions to receive updates that shouldn't have been authorized about certain actions and users. For instance, a rogue developer could have gotten regular updates on who liked or commented on a specific post.

The submission scored Facebook's highest bounty offering because it led to the discovery of a whole class of potential exposures that could have been misused. Of the 17,000 reports the company received in 2018, it paid a bounty on 700, with an average prize of around $1,500.

"It is not uncommon for us to receive reports about high or critical bugs from researchers," says Dan Gurfinkel, Facebook's security engineering manager. "The September security incident involved a case of three different bugs interacting with one another. Among other lessons, it served as a reminder that it's important to get as many eyes as we can to evaluate and test our code. The bug bounty program is an important part of this work, and that's why we continue to develop new ways to engage researchers."

As a result of the Cambridge Analytic revelations, Facebook expanded the scope of its bounty in April to include "data abuse," situations where Facebook's third-party app developers misuse the customer data they get access to. The company also began accepting bug reports about third-party apps themselves, acting as a sort of liaison for vulnerabilities that the social network can't directly fix, but that impact its users. Both of these expansions add important nuance, and are areas that most other companies have yet to grapple with in their own bug bounties. Facebook says that in just a few months it has already begun receiving a number of high quality submissions that address those new bug categories.

"They were very specifically trying to look for something that would be otherwise be difficult to detect via technical means," says Katie Moussouris, a bug bounty expert and founder of the firm Luta Security. "If a third party is authorized to get Facebook data in its terms of service and then is abusing the terms of service, that's very hard to detect."

Luta Security consulted with Facebook on refining the data abuse expansion to articulate a subtle distinction. Facebook wanted to make it clear that researchers shouldn't breach user data in the process of finding problems, but they should submit more nuanced types of data misuse reports whenever it was possible to document these complex interactions safely.