Hacker News new | past | comments | ask | show | jobs | submit login
Facebook hands out White Hat debit cards to hackers (cnet.com)
146 points by FluidDjango on Dec 31, 2011 | hide | past | favorite | 30 comments



I for one think this is a brilliant concept. As mentioned previously it taps into the feeling of exclusivity and being part of the 'elite few' eligible for such a thing, going much farther than just a monetary reward. Surely that in itself is enough to keep hackers interested and producing results, which ultimately is what the program aims to do.


This is a well-meaning gesture and I'm sure that Facebook can't track transactions just because they commissioned the card.

Still, I can't imagine security researcher types are going to like the idea of making daily purchases with a card commissioned and owned by Facebook!


I'm sure if you're finding bugs and you ask nicely, Facebook will forgo the publicity stunt for you and just cut you a check.


You have the option of getting a check, Western Union payment, or the card. The WU option may no longer be there since they put out this debit card -- not sure.


You can also do what I do: take the card to your local bank branch and have them widthdraw all the money off the card. ;-)


The article says they can withdraw cash from ATM's.


So what happens when one of the White Hats figures out how to access the interface used to add value to his/her card?


He goes to prison?

But seriously, I wouldn't even look for holes in any payment system without prior indemnification.


Hell, I work as a security consultant for a living and any time I touch live finance systems I tread very lightly. Any significantly complex system with money directly involved is going to have too many variables to predict its behavior. I wouldn't touch something like this with a ten foot clown pole.


Presumably this is being run through a real bank with a real underwriting department. A VISA card that works at ATMs is not fun-and-games; it's not a Facebook feature.


Yea, this is well into the realm of going to jail for a long time if you touch anything. Find it pretty doubtful that anyone will even try.


Indeed. It's a Chase Visa card :)


From what I understand, it looks like basically a branded VISA gift card. The interface to add value to the card is going to be something VISA controls, not Facebook. So searching for weaknesses to add value to the card is equivalent to searching for weaknesses in the VISA network.

If that's incorrect, someone who knows more can correct me.


That is correct.


The card is a Chase Paymentcard (https://www.mychasepaymentcard.com/). None of us have authorization to mess with Chase's applications. ;-)


Since Facebook has only given money to 81 people so far, I'm going to guess this is a very manual procedure. There's probably only one guy somewhere that can authorise these things. It's not like they have (or can have) an automated 'bug bounty software'.


His hat changes color?


The card reminds me of the American Express Black Card in its exclusivity. It's Like a certificate of achievement and a nice item to have even after you spend the money.


Er no you just need lots of money to get that.. Wikipedia says

"The "Centurion" card is invitation-only after appropriate net worth, credit and spending criteria are met. American Express does not publicly disclose the requirements for getting a card"


Yes, in that example the "achievement" is meeting their net worth and spending criteria.


"Facebook whitehat card not as prestigious as the SVC card, but very cool."

What's the SVC card?


I assume it's a card issued by Secunia's program:

http://secunia.com/community/research/svcrp


Stored Value Card? http://www.fms.treas.gov/eaglecash/svcfacts.html


Shouldn't the card be ivory?


I think the card would look more distinctive if it were white. :)


When I heard about the white hat card I imagined it having a more facebooky look.

Like facebook blue and "white hat" in the facebook font.

The debit card is a really cool idea though.


Is that MZ in the reflection?


It certainly looks like him.

The image was provided by facebook as well so I guess it would be pretty safe to assume it's MZ.


[deleted]


This is why we can't have nice things. Really. I'm a security researcher and previously had no real interest in Facebook's bug bounty program, but once I saw this I decided to start poking at it just to get one. The card is a cool way of getting people into the program and rewarding them beyond just the money. Please, please don't make things like this harder on companies; if someone does something cool, take it for what it is.


It's a lot more clever than the silly challenge tokens other companies give out.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: