Obviously you must be the first person to report a specific bug; no bounties for an error are given out twice. Facebook notes that some who submitted security errors in the past — who received little compensation other than maybe a t-shirt — were eventually brought on to the Facebook security team.
“Typically, it’s no longer than a day” to fix a bug, Facebook Chief Security Officer Joe Sullivan told Cnet in a conference call.
Only participants who legally agree to Facebook’s Responsible Disclosure Policy (which states that they will not publish or make available any of their findings), will be allowed to participate. In Facebook’s typical menacing-and-friendly-at-the-same-time sort of way, the company states, “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”
Facebook has said that it will allow registered researchers, as they’re being called, to set up test accounts so they don’t have to worry about their own when going to work.
Also, there are exceptions to what Facebook will pay for: Security bugs in third-party applications, third-party websites that integrate with Facebook, Facebook’s corporate infrastructure, denial of service vulnerabilities and spam or social-engineering techniques are all excluded.
With regards to the last, a lot of Facebook users probably wouldn’t mind if they eventually opened up the floodgates against Newsfeed spam. We can only hope.
Either way, let the games begin.