Facebook bug bounty program paid out $1.5m in 2013


Facebook bug bountyAccording to newly published figures, Facebook has paid out a whopping $2m since it introduced its bug bounty program in 2011, with $1.5m (about £900,000) of that being spread between 330 researchers in 2013 alone.

During that year the company received 14,763 submissions from researchers, a year on year increase of 246%.

Facebook says that all submissions are considered to be valid until proven otherwise:

Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately.

The majority of the flaws submitted during the course of 2013 proved to be invalid, as perhaps expected, leaving some 687 that were eligible to receive an award.

Of those, 6% were designated as high severity, but fixes came quickly.

We've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.

The report also gives some detail on vulnerability discovery by country, highlighting how the largest number of bugs (136) were discovered by residents of India, with the average payout totalling $1,353.

The third largest number of submissions came from Brazil whose citizens discovered a total of 53 bugs valued at an average of $3,792 each.

A Brazilian, Reginaldo Silva, also had the honour of receiving Facebook’s largest ever bounty payment of $33,500 (about £20,000) and a job, after discovering a remote code execution flaw.

Facebook Security Engineer Collin Greene said the company has made a few changes to help encourage further research:

  • There is a new, centralised Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress.
  • Instagram, Parse, Atlas, and Onavo are now in scope.
  • Text injection reports will no longer be rewarded – “Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.”
  • There is now a reference list of commonly reported issues that are ineligible.
  • Bounties will be increased over time for high-impact issues.

If you’ve found something that Facebook needs to know about, you can learn more about reporting here.

Make sure that you follow the guidelines and make a responsible disclosure if you wish to receive an award.

Newly discovered vulnerabilities are worth a minimum of $500 and there is no maximum reward, with each bug attracting a payment that represents its “severity and creativity.”

If you’d like to keep up to date on everything we write about Facebook, please join over 240,000 others by liking our page.

Image of bug under glass courtesy of Shutterstock.