The biggest payout was of $33,500 for a severe bug
Facebook’s bug bounty program is a way for the company to discover and fix important issues and a way for those with enough knowledge to spot them to win some money. In fact, in 2013, Facebook gave approximately $1.5 million in this program.The social network’s bug bounty program was launched in 2011 and has since received more and more submissions.
Last year, Facebook received 14,763 bug submissions, 246 more than in the previous year. The company offers a minimum of $500 for all bugs, and there’s no maximum reward limit. Instead, as with most companies, the people who discover the bugs are awarded bounties based on its severity and creativity.
There is, of course, a bunch of bugs that are not eligible for a bounty, such as security bugs in third-party apps or websites, as well as other tools acquired by Facebook. The only tools that the program covers are Instagram, Parse, Atlas and Onavo.
Bugs aren’t easy to find and getting money from Facebook is even more difficult since not all entries are eligible.
In fact, last year, only 687 of the nearly 15,000 were deemed valid to receive compensation. About 6 percent of them were categorized as high severity. “From reading the first submission to implementing an initial fix, our median response time for these high-severity issues was about 6 hours. We've built our infrastructure to be able to push code twice a day, which helps us release important updates immediately,” Facebook boasts.
330 researchers shared the $1.5 million in 2013, with an average reward of $2,204. Most of the rewarded bugs were discovered in non-core properties, such as websites operated by companies that Facebook acquired.
The biggest payout ever given by the company since the bug bounty program was introduced went to Reginaldo Silva, who received $33,500. He discovered an XML external entities attack capable of reading files from a Facebook web server to an internal service that could run code.
The company has expressed its gratefulness to all researches that evaluated the service and took the time to report bugs. It looks like researchers in Russia earned the highest amount per report last year, namely an average $3,961 for 38 bugs.
“2014 is looking good so far. The volume of high-severity issues is down, and we're hearing from researchers that it's tougher to find good bugs. To encourage the best research in the most valuable areas, we're going to continue increasing our reward amounts for high priority issues,” Facebook’s Colin Greene writes.