Facebook’s bug bounty program has given more than $1M to researchers in 51 countries

Facebook has tapped into the power of crowdsourcing to make the site a safer place and reward researchers willing to help it out to that end.

The social network shelled out more than $1 million over the past couple years to 329 people in 51 countries who reported security problems with the site. The youngest was 13 years old. A couple of those researchers went on to work for the tech giant’s security branch.

The Bug Bounty program was launched in 2011 to reward people who report issues to the site and make it a safer place to hang out online, Facebook Security Engineer Collin Greene says in a note posted to the site’s security blog:

So far the program has been even more successful than we’d anticipated. We’ve paid out more than $1 million in bounties, and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.

One-fifth of that went to folks in the United States, the highest percentage for a single country. Nations with the most bounty recipients, in order, are:

  • United States
  • India
  • United Kingdom
  • Turkey
  • Germany

Countries with the fast-growing number of awardees are, in order:

  • United States
  • India
  • Turkey
  • Israel
  • Canada
  • Germany
  • Pakistan, Egypt
  • Brazil
  • Sweden
  • Russia

The single largest reward to date has been $20,000, though there’s no official cap on the bounty size, Greene says. Some researchers earned several bounties, raking in six-figure totals.

This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security – and we invest a lot – we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable.

Determining a bounty

As the program matures, the company wants to get the word out about how it decides how much to reward a person for their freelance security consulting. Greene says Facebook considers four factors:

  • Impact: Would the glitch let someone hack into private Facebook info? Delete it? Change it? Can it run JavaScript on the site? The more users it affects, the higher the danger and higher the impact … thus the higher reward.
  • Quality of communication: How much detail can you offer? Got any instructions to share on how to re-enact the problem? Can you send easy-to-get instructions, proof and screenshots?
  • Target: Bugs reported about Facebook, Instagram, HHVM and mobile apps are high-value targets, Greene says. And again, the higher the value, the higher the bounty.
  • Secondary damage: If your bug leads to more bugs, it also leads to bigger cash rewards.

Want to become a Bug Bounty hunter?

Click here to find out how.

Image courtesy of Shutterstock.

Recommended articles