Instagram wants hackers to put its latest shopping feature to the test.
The Facebook-owned company said it is inviting a select group of security researchers to stress test its Checkout feature before it expands it beyond the United States.
The tool, which launched in March, allows users to buy products directly on Instagram from a select number of brands, including Zara, H&M and Nike. Previously, users had to leave the Instagram app and purchase the item from the retailer’s website.
Instagram previously said payments on the Checkout feature are secure and processed in partnership with PayPal. Instagram has also said it doesn’t share payment information with sellers, and it keeps financial information on secured servers.
The researchers, who are also called white hat hackers, find vulnerabilities before a bad actor might in order to protect users. In this case, they’ll get early access to the global feature and earn rewards for eligible reports. Those who qualify have previously submitted “high-quality” research to its bug bounty program.
In 2018, Facebook paid out over $1.1 million in rewards to researchers from more than 100 countries, who found and reported security vulnerabilities and data abuse. The average award amount was about $1,500 last year.
This isn’t the first time Instagram’s parent company Facebook has invited white hat hackers to test a feature.
Facebook said it gave a select group of researchers early access to FB5, which is Facebook’s redesigned lookthat it unveiled at its F8 developers conference earlier this year.
Philippe Harewood, one of the researchers who took part in the private program, found a bug in Facebook’s new interface, which could have let someone remove another person’s profile photo. The company said Harewood’s work allowed the company to fix the issue before it rolled out FB5 around the world.
Facebook is also expanding its data abuse bug bounty program to Instagram, which is intended to find and kick off apps that abuse its platforms. Now researchers will be able to report third-party apps that improperly access and store user data on Instagram.
Facebook started its bug bounty program in 2011. Last year, it launched another program focused on data abuse following revelations that Cambridge Analytica improperly harvested data from millions of users.
The data-abuse-focused program rewards people who report cases where a third-party app collects and transfers people’s Facebook — and now Instagram — data to another party to be sold or used for scams and other purposes. Rewards can go up to $40,000 per case.
Other tech companies also offer bug bounty programs. Google paid out a total of $3.4 million rewards in 2018 to researchers who found vulnerabilities. Earlier this month, Apple said it would offer hackers up to $1 million to hack an iPhone.