India’s white hats lead the world at breaking Facebook

India’s white hat hackers have been singled out by Facebook for their prolific contribution to the social network’s four year old bug bounty program.

Adam Ruddermann, a technical program manager on the Facebook Bug Bounty team, praised the contribution of India’s security research community in a blog post about the recent Nullcon security conference held in Goa, India.

According to Ruddermann no other country has more individual contributors in the Facebook bug bounty program and no country has earned more in bounties.

Between them, India’s 205 contributors have earned a cool ₹48.4 million INR (about $730,000 USD) in rewards he said.

The security community in India is strong and growing every day. India has long topped the list of 127 countries whose researchers contribute to our bug bounty program. It also holds the top position for the country receiving the most bounties paid.

Facebook receives more and more high-impact bugs from India each year, reflecting the growing sophistication and technical capabilities of the country’s engineering schools and cybersecurity programs.

The Facebook Bug Bounty program was launched in 2011 to reward hackers who find bugs in its apps and websites. Hackers who report eligible bugs are paid according to their discovery’s risk and the biggest pay outs for reported bugs have reached well in to five figures (USD).

Bug bounty programs have become increasingly popular in recent years as companies look for better ways to combat sophisticated and well-funded aggressors, to promote responsible disclosure and to create a counterweight to the underground trade in 0-days.

By the end of 2015 Facebook’s program had awarded more than $4.3 million USD.

There are about 125 million Facebook users in India, making it the company’s second largest market, and according to the New Indian Express, India is set to overtake the USA as the country with the most Facebook users by 2017.

Indian bug bounty winners have spared Facebook users from some very serious vulnerabilities in the program’s short life.

The roll call of white hat heroes includes Laxman Muthiyah who scooped $12,500 USD after finding a way to take out any public photo album (including the ones that hold your cover photos and profile pictures) with a simple delete command.

More recently Anand Prakash found an even more devastating bug that earned him $15,000 USD; how to break in to any Facebook account.

The rewards that Anand and Laxman earned were substantial but both could probably have earned more by selling their exploits to criminals rather than Facebook.

Just like all the other white hat contributors to bug bounty programs around the world they made a choice to do the Right Thing, and we’re glad they did.


Image of white hat based on a picture from Shutterstock.