Instagram will pay a bounty to security researchers who find evidence that third-party apps are misusing your personal data. The program aims to encourage experts outside of Instagram and its parent company Facebook to tackle a major problem the social network faces: apps that scrape user data or try to trick you into sharing passwords and other sensitive information.
It’s called the Data Abuse Bounty, and the program is a twist on a traditional bug bounty program, which typically pays researchers when they identify vulnerabilities that hackers could exploit to steal information.
“Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action,” Instagram security engineering manager Dan Gurfinkel wrote in a blog post Monday. The company didn’t specify how much it would pay researchers but said it would base the bounty on the impact and quality of their reports.
A similar program was rolled out for Facebook in April 2018 in the wake of the Cambridge Analytica scandal, in which a political consultancy in the UK obtained millions of Facebook user records from a third-party app developer. The data was shared against Facebook’s policies, but the company didn’t have a way of tracking what happened to it after the app developer first collected it. As part of its response to the scandal, Facebook expanded its bug bounty program to include data abuse in addition to cybersecurity flaws.
Monday’s announcement is a continuation of that effort, Instagram’s head of engineering Nam Nguyen said in a statement.
“Expanding and building on the Facebook bug bounty program is a key development in our ongoing security efforts, and we are grateful to the wider security community for all they do to help keep our platforms safe,” Nguyen said.
The company is also asking developers to help identify any flaws in its Checkout feature, which lets Instagram users make purchases without leaving the app. The service is currently available to US users and in beta for businesses, meaning a limited amount of retailers can use it to sell in the US.