In the wake of the Cambridge Analytica scandal, Facebook made some changes to its privacy policies and stepped up some of its security efforts. In April, it began offering rewards to those reporting data abuse on the part of app developers. Gurfinkel noted in today's blog post that app developers are still required to protect users' data and the expanded bug bounty program isn't meant as a replacement for those obligations.

Those with valid reports will be given a minimum of $500, with that amount increasing in line with the impact of the report. "Importantly, we will only accept reports if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website," wrote Gurfinkel. "You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report." Affected apps will be notified and Facebook will work with them to fix the issue. Those that don't respond will be suspended until the problem has been addressed and a security review has been completed. Facebook will also notify any users affected by reported vulnerability.