Unauthorized data scraping is something that Meta rigorously fights against on its multiple social media platforms. A few months ago, it detailed some of its defense mechanisms against the activity and also banned the New York University (NYU) Ad Observatory project from Facebook because of its reported - but contested - involvement in such practices. Like most companies, Meta already has a Bug Bounty Program through which it rewards researchers for discovering and reporting security flaws in its products. Now, it has announced that it is expanding the scope of the rewards to cover two new areas related to unauthorized scraping activities.
The first area deals with scraping bugs, currently available as a private bounty track only to Gold+ HackerPlus researchers. Essentially, Meta wants you to reports bugs that enable malicious actors to access data at a greater scale than the product intended, even if the data in question is public. The emphasis is on logical bypass with automated data scraping still not allowed, it has to be a purely manual effort. Meta claims that it is probably the first company to offer bounties for scraping bugs.
The second new area for bug bounties is associated with scraped datasets. If you report unprotected or public datasets with the personally identifiable information (PII) of more than 100,000 users, and Meta is not previously aware of its existence, you will be rewarded for reporting it. Furthermore, if this data is present in third-party repositories like an Amazon S3 bucket, Meta will work with relevant authorities to take it down.
Rewards for both types of valid reports start at $500, but can be more depending upon the severity. Monetary rewards will be directly provided to researchers for reporting scraping bugs, but for scraping datasets, donations will be made to a nonprofit charity of the researcher's choosing. Meta will also separately match each bounty. The idea behind doing this is to not incentivize scraping and publishing of PII datasets.