This article was published on August 2, 2013

Two years in, Facebook has paid 329 security researchers over $1 million as part of its Bug Bounty program


Two years in, Facebook has paid 329 security researchers over $1 million as part of its Bug Bounty program

Facebook today announced it has paid out over $1 million to 329 security researchers as part of its bug bounty program, which launched just over two years ago. The researchers are spread across 51 different countries, according to the company, and only 20 percent of bounties paid out so far have been to US-based recipients.

The top five countries with the most bounty recipients are: the US, India, UK, Turkey, and Germany. The top 10 countries with the fastest growing number of recipients are: the US, India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, and Sweden.

Facebook says the program has been “even more successful than we’d anticipated.” In fact, the company has hired two recipients for full-time jobs on its security team.

“This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure,” Collin Greene, Security Engineer at Facebook, said in a statement. “After all, no matter how much we invest in security — and we invest a lot — we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.”

Facebook plans to continue expanding the program, but wouldn’t reveal exactly what it has planned. The general criteria the company currently uses to determine the amount to pay researchers when they submit a bug is broken into four primary factors:

  • Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under facebook.com? These are high-impact vulnerabilities, and this is the most important attribute. Ease of exploitation plays into impact as well as ultimately Facebook pays bounties to protect its users, so the more users it could affect and the more damage it could do, the higher the impact.
  • Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as Facebook works to evaluate a submission is crucial. Facebook does not reward anyone for speaking English or for writing long reports.
  • Target: Facebook.com, Instagram, HHVM, and Facebook’s mobile applications are considered high-value targets, and typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.
  • Secondary Damage: Bugs that lead Facebook to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that the company can fix.

Google and Mozilla also offer notable bug bounty programs, and Microsoft recently joined the party as well. With its program, Facebook is reaping the same benefits as other technology companies, and given its success so far, it likely will continue doing so for as long as it can make payouts.

See also – Facebook starting to pay hackers to discover vulnerabilities and British researcher nets $20,000 ‘bug bounty’ for discovering major Facebook security flaw

Top Image Credit: Brendan Smialowski / Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with