Instagram will pay researchers to find apps abusing their data

Instagram is getting serious about rooting out third-party apps that break its rules.

The company announced a new bug bounty program specifically aimed at finding third-party apps that misuse Instagram data. Facebook put the program in place last spring, but it didn’t apply to Instagram until now.

Instagram’s new bug bounty program comes less than two weeks after Business Insider reported that HYP3R, once touted as one of the company’s “preferred marketing partners,” had scraped location data and other info from millions of Instagram users. It was later removed for violating Instagram’s terms of service. 

The incident was a reminder that Instagram is not safe from the data misuse that has plagued Facebook. Besides HYP3R, hackers have successfully impersonated Instagram analytics services in order to hijack high-profile accounts. 

“Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action,” Instagram security engineer Dan Gurfinkel wrote in a blog post. 

An Instagram spokesperson declined to share how much its new bug bounty program would pay out, but pointed to Facebook’s 2018 bug bounty payouts, which averaged about $1,500 across more than 700 reports. More serious flaws can earn an average of $40,000. 

Additionally, Instagram is starting an invitation-only bug bounty program to test its new forthcoming shopping features. Called “checkout,” the feature will let users buy products from brands without leaving the Instagram app. 

The company has been testing the service with a handful of brands since March. And though Instagram hasn’t shared when checkout might be more widely available, the fact that it’s inviting security researchers to “stress test” the feature suggests it’s moving closer to an official launch.