Facebook’s Bug Bounty Program Pays Out $936K in 2015

By David Cohen Comment


Facebook received fewer bug submissions in 2015 than in 2014, but the social network was alerted to more high-impact bugs.

Security engineer Reginaldo Silva—himself a former awardee of the social network’s bug bounty program—released the program’s 2015 statistics in a note.

Silva wrote that since the creation of Facebook’s bug bounty program in 2011, more than 2,400 valid submissions have been received, with over $4.3 million awarded to more than 800 researchers globally.

As for 2015, Silva said:

  • A total of 13,233 submissions were received from 5,543 researchers in 127 countries.
  • 102 of those submissions were classified as high-impact, up 34 percent from 2014.
  • A total of $936,000 was paid out to 210 researchers for 526 valid reports, for an average payout of $1,780.
  • The highest number of payouts went to researchers in India, Egypt and Trinidad and Tobago.

Silva attributed the decrease in total submissions and the rise in high-impact submissions to better quality reports with detailed replication instructions and, in some cases, attack scenarios, as well as to a greater focus on inconsistencies in the company’s business logic, enabling Facebook to “eradicate entire classes of vulnerabilities all at once.”

Finally, he highlighted the following three bug submissions from this past year:

  • Jack Whitton reported a bug that resulted in a lack of CSRF protection site-wide after Messenger.com was launched.
  • Philippe Harewood reported a bug that caused the GraphQL behind Graph Search to allow users to make inferences about data they wouldn’t otherwise be able to see.
  • Back on the topic of CSRF, Pouya Darabi found an endpoint that enabled him to bypass the protection site-wide.

Readers: Have you ever reported any bugs to Facebook?


Images courtesy of Shutterstock.