Since Facebook launched its bug bounty program two years ago, more than $1 million in rewards has been handed out to 329 people in 51 countries, Security Engineer Collin Greene reported in a note on the Facebook Security page.
Greene wrote that recipients have ranged from professional researchers to students, with the youngest one at just 13 years old. He added that two bounty recipients went on to accept full-time jobs with the social network’s security team.
Only 20 percent of bounties have gone to people in the U.S., according to Greene, but it was still the top country in terms of total recipients, followed by India, the U.K., Turkey, and Germany. The countries with the fastest-growing totals are:
This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security — and we invest a lot — we’ll never have all of the world’s smartest people on our team, and we’ll never be able to think of all of the different ways a system as complex as ours might be vulnerable. Our bug bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.
As the program continues to expand, we wanted to shed more light on the general criteria we use to determine the amount to pay researchers when they submit a bug. We base these decisions on four primary factors: impact, quality of communication, target, and secondary damage.
- Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as we work to evaluate a submission is crucial. It is important to note that we do not reward anyone for speaking English or for writing long reports.
- Target: Facebook.com, Instagram, HHVM, and our mobile applications are considered high-value targets, and they typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.
- Secondary Damage: Bugs that lead us to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that we can fix.
We are very happy with our progress so far, and we want to thank everyone who has participated — you are the reason this works. If you’re interested in participating in the program, please head to https://www.facebook.com/whitehat/ to learn more.
Readers: Have you ever submitted a bug to Facebook?
Image courtesy of Shutterstock.