I for one think this is a brilliant concept. As mentioned previously it taps into the feeling of exclusivity and being part of the 'elite few' eligible for such a thing, going much farther than just a monetary reward. Surely that in itself is enough to keep hackers interested and producing results, which ultimately is what the program aims to do.
You have the option of getting a check, Western Union payment, or the card. The WU option may no longer be there since they put out this debit card -- not sure.
Hell, I work as a security consultant for a living and any time I touch live finance systems I tread very lightly. Any significantly complex system with money directly involved is going to have too many variables to predict its behavior. I wouldn't touch something like this with a ten foot clown pole.
Presumably this is being run through a real bank with a real underwriting department. A VISA card that works at ATMs is not fun-and-games; it's not a Facebook feature.
From what I understand, it looks like basically a branded VISA gift card. The interface to add value to the card is going to be something VISA controls, not Facebook. So searching for weaknesses to add value to the card is equivalent to searching for weaknesses in the VISA network.
If that's incorrect, someone who knows more can correct me.
Since Facebook has only given money to 81 people so far, I'm going to guess this is a very manual procedure. There's probably only one guy somewhere that can authorise these things. It's not like they have (or can have) an automated 'bug bounty software'.
The card reminds me of the American Express Black Card in its exclusivity. It's Like a certificate of achievement and a nice item to have even after you spend the money.
Er no you just need lots of money to get that.. Wikipedia says
"The "Centurion" card is invitation-only after appropriate net worth, credit and spending criteria are met. American Express does not publicly disclose the requirements for getting a card"
This is why we can't have nice things. Really. I'm a security researcher and previously had no real interest in Facebook's bug bounty program, but once I saw this I decided to start poking at it just to get one. The card is a cool way of getting people into the program and rewarding them beyond just the money. Please, please don't make things like this harder on companies; if someone does something cool, take it for what it is.