Facebook’s Bug Bounty Program To Date: More Than $1M To 329 People In 51 Countries

Since Facebook launched its bug bounty program two years ago, more than $1 million in rewards has been handed out to 329 people in 51 countries, Security Engineer Collin Greene reported in a note on the Facebook Security page.

Greene wrote that recipients have ranged from professional researchers to students, with the youngest one at just 13 years old. He added that two bounty recipients went on to accept full-time jobs with the social network’s security team.

Only 20 percent of bounties have gone to people in the U.S., according to Greene, but it was still the top country in terms of total recipients, followed by India, the U.K., Turkey, and Germany. The countries with the fastest-growing totals are:

  • U.S.
  • India
  • Turkey
  • Israel
  • Canada
  • Germany
  • Pakistan
  • Egypt
  • Brazil
  • Sweden
  • Russia

Greene wrote:

This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security — and we invest a lot — we’ll never have all of the world’s smartest people on our team, and we’ll never be able to think of all of the different ways a system as complex as ours might be vulnerable. Our bug bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.

As the program continues to expand, we wanted to shed more light on the general criteria we use to determine the amount to pay researchers when they submit a bug. We base these decisions on four primary factors: impact, quality of communication, target, and secondary damage.

  • Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under facebook.com? These are high-impact vulnerabilities, and this is the most important attribute we consider. For example, an open redirect is worth less than an XSS, and an XSS that requires user interaction is worth less than one that doesn’t. Ease of exploitation plays into impact, as well. Ultimately, we pay these bounties to protect Facebook users, so the more users it could affect and the more damage it could do, the higher the impact.
  • Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as we work to evaluate a submission is crucial. It is important to note that we do not reward anyone for speaking English or for writing long reports.
  • Target: Facebook.com, Instagram, HHVM, and our mobile applications are considered high-value targets, and they typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.
  • Secondary Damage: Bugs that lead us to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that we can fix.

We are very happy with our progress so far, and we want to thank everyone who has participated — you are the reason this works. If you’re interested in participating in the program, please head to https://www.facebook.com/whitehat/ to learn more.

Readers: Have you ever submitted a bug to Facebook?

Image courtesy of Shutterstock.

Related Stories
Mediabistro Course

Content Marketing 101

Content Marketing 101Almost 60% of businesses use some form of content marketing. Starting December 8, get hands-on content marketing training in our online boot camp! Through an interactive series of webcasts, content and marketing experts will teach you how to create, distribute, and measure the success of your brand's content. Sign-up before November 10 to get $50 OFF with early bird pricing. Register now!