14 DAY TRIAL // Facebook has paid $40,000 through its new security bug bounty program during the first month with the highest reward for a single report being $5,000.
Facebook revealed its plans to launch a bug bounty program back in May during the Hack in the Box security conference in Amsterdam.
The program was officially launched a month ago, on July 29, and is similar to those already run by Google and Mozilla for their web platforms.
In a new blog post, Facebook's chief security officer Joe Sullivan reveals that the program has already exceeded the company's expectations and resulted in the payment of $40,000 to security researchers during the first month.
"It has been amazing to see how independent security talent around the world has mobilized to help. We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe," Sullivan writes.
He also took the opportunity to correct a few misconceptions about the program, like the belief that every bounty is $500. "That is the minimum amount we will pay. In fact, we’ve already paid a $5,000 bounty for one really good report," he reveals.
One particular researcher earned $7,000 so far from reporting security vulnerabilities through the program. He wasn't named, but all researchers who worked with Facebook are listed on a White Hats page.
Sullivan responded to requests to have the bug bounty extended to the entire Facebook Platform, which includes hundreds of thousands of third-party apps and games, by saying that it's not feasible.
Facebook is the latest company to declare itself happy with the results of a bug bounty program. The costs of such programs are very low compared to those of professional audits and the number of bugs identified is usually higher.
Also, more people have the chance to use their talents and get paid for it, so it's a win-win situation for everyone. "A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment," the Facebook official concludes.