Facebook today announced it paid out $1.5 million to 330 security researchers around the world in 2013 as part of its bug bounty program, which launched back in August 2011. In fact, the company has now paid out over $2 million in rewards, after passing the $1 million milestone back in August.
In total, Facebook received 14,763 submissions in 2013 (each one reviewed individually by a security engineer), up 246 percent from 2012. Of those, only 687 (just 4.65 percent) were valid and eligible to receive rewards. The average reward was $2,204, and Facebook said the majority of bugs were discovered in “non-core properties,” such as websites operated by companies it has acquired.
Furthermore, just 6 percent of those eligible bugs were categorized as high severity. Facebook says its median response time for these critical issues was just six hours, from reading the first submission to implementing an initial fix, and it’s going to keep trying to lower that number going forward.
Researchers in Russia earned the highest amount per report in 2013, receiving an average of $3,961 for 38 bugs. India contributed the largest number of valid bugs at 136, with an average reward of $1,353, followed by the US (92 issues at an average of $2,272), Brazil (53 bugs at an average of $3,792), and the UK (40 bugs at an average of $2,950).
As for 2014, Facebook says the volume of high-severity issues is down, and security researchers are telling the company that it’s “tougher to find good bugs.” To ensure they don’t lose interest, the social networking giant says it will continue increasing its reward amounts for high priority issues.
The company is also making the following changes:
- A new centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of progress.
- The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
- Text injection reports are no longer being rewarded, since Facebook has decided rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and phishing reports don’t count for the program.
- Facebook has created a reference list of commonly reported issues that are ineligible.
The second point is worth underlining as the company notes the best targets for high-impact issues as a security researcher are Facebook.com itself, the Facebook or Instagram mobile apps, and HipHop Virtual Machine. It’s safe to assume that when the WhatsApp acquisition closes, those apps will also eventually be included in the security program.
Top Image Credit: Brendan Smialowski / Getty Images