900 bugs. That’s a lot. $5,000,000. That’s a lot, too. That’s how many bugs Facebook’s pioneering bug bounty program has uncovered since it launched five years ago – and how much Facebook has paid for them.
The social network giant celebrated the program’s fifth anniversary with a blog post and self-assessment – and for anyone who’s either running or contemplating a bug bounty program, it’s quite instructive.
As The Register notes, Facebook’s program:
Pays generously when it receives notice of flaws and working proof-of-concepts, provided they are not already public or used in attacks against users.
Simple math shows the average payment has run roughly $5,500, but some have earned much more.
Just a few weeks ago, we told you about Arun Sureshkumar, who earned $16,000 for uncovering a zero-day vulnerability in Facebook Business Manager that would’ve allowed anyone to capture or delete any page on Facebook.
And in March, Anand Prakesh earned $15,000 for discovering that Facebook’s beta sites weren’t rate-limiting password-reset PINs, making them easy to attack via brute-force scripts.
Overall, average payments seemed to drop a bit in the first half of 2016: Facebook reports doling out $611,741 to 149 researchers, or about $4,100 per person. On the other hand, the averages seem a lot higher than they were when we covered the program back in 2014.
Meanwhile, the program seems to be thriving.
Facebook got 9,000+ bug reports during the first half of this year, and started accepting bug reports for its WhatsApp division, too. (You’ll notice the vast majority of those bugs didn’t earn cash. That’s true for most bug bounty programs. Before you submit, you might want to check out Facebook’s page on what does and doesn’t qualify.)
If you do make it through the sieve, Facebook will now be happy to pay you in Bitcoin, should you so desire. Whatever currency you prefer, Facebook says its payment process has recently been automated, so you should get your loot that much sooner.
In his post, bug bounty team blogger Joey Tyson also shared a few best-practice program tweaks that might be useful to folks following in Facebook’s footsteps.
Our award notifications now include information on how the specific bounty was determined. We continue to make these decisions based on real (rather than perceived) risk and will share more details on the thinking behind each award.
We’re also preparing to share more educational resources on security fundamentals and topics specific to our products.
Beyond finding bugs, Facebook notes that its security team has recruited many new security professionals from those who’ve submitted bugs. In today’s competitive market for security talent, that’s a distinctly non-trivial benefit.
Of course, it goes both ways: as Facebook’s program has moved forward, some team members have moved on, using their expertise to start and operate bug bounty programs elsewhere. Facebook wishes them godspeed:
We’re proud of former team members who’ve helped us along the way and continue to launch new programs around the world.