Bug bounty: Facebook paid $1.5M to white hat researchers in 2013


Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.

Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.

Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.

Researchers from Russia brought in the most per report, earning an average of $3,961 for 38 bugs. Indian researchers and white hat hackers contributed the most valid bugs (136), with an average reward of $1,353. American researchers reported 92 issues, with an average reward of $2,272. Brazil (53) and the U.K. (40) were third and fourth in terms of volume of valid bugs reported.

Greene said that so far this year, researchers are finding it harder to find high-severity bugs. The company is vowing to increase its reward amounts for high-priority issues.

Greene wrote in the blog post what Facebook plans to do this year with regard to the bug bounty program:

  • We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress:https://www.facebook.com/settings?tab=support
  • The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
  • We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Readers: Have you ever submitted a bug report to Facebook?

Image courtesy of Shutterstock.