14 DAY TRIAL // Twitter's bug bounty program celebrated its second birthday the past week, and the company's security team decided to gather up all the program's data and provide an insight into how much effort needs to be put into such an endeavor.
Two years in, Twitter says it received 5,171 submissions from 1,662 security researchers and has paid a total of $322,420 to security researchers during the past few years.
The number is extremely small compared to Google and Facebook, but we also have to take into account that Twitter has a smaller number of assets exposed online, compared to those two companies.
Just for comparison, Facebook awarded security researchers $4.3 million since the program launched in 2011 and over $936,000 just in the past year. On the other hand, Google awarded security researchers over $2 million just in 2015 and a total of $6 million since the Google Security Reward Program started in 2010.
Twitter paid on average $835 per bug report
Furthermore, Twitter is also bragging about not imposing any limits on researchers and says that bug submissions that have been fixed have ended up as blog posts out on the public Internet. The company says that around one in five researchers requests permission to have the bug publicly disclosed.
Twitter is also famous for paying bugs in increments of $140, which is also the minimum payout for bug submissions, and says that during the past two years the highest bug payout was $12,040, or the equivalent of 860 tweets, as the company sees it. At the time of this bug payout, Twitter also held the record for the highest paid reward on HackerOne, the platform through which the company manages its bug bounty program.
The company also highlighted that dedicated security researchers are always welcomed and that in 2015 the company paid a security expert around $54,000 for all his bug submissions.
Twitter was one of the major companies that gave HackerOne legitimacy, and recently, other businesses and even government agencies have also started bug bounties programs on HackerOne, such as the Pentagon, Uber, Pornhub, and even the Tor Project.
