Bug bounty: Facebook paid $1.5M to white hat researchers in 2013


Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.

Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.

Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.

Researchers from Russia brought in the most per report, earning an average of $3,961 for 38 bugs. Indian researchers and white hat hackers contributed the most valid bugs (136), with an average reward of $1,353. American researchers reported 92 issues, with an average reward of $2,272. Brazil (53) and the U.K. (40) were third and fourth in terms of volume of valid bugs reported.

Greene said that so far this year, researchers are finding it harder to find high-severity bugs. The company is vowing to increase its reward amounts for high-priority issues.

Greene wrote in the blog post what Facebook plans to do this year with regard to the bug bounty program:

  • We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress:https://www.facebook.com/settings?tab=support
  • The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
  • We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Readers: Have you ever submitted a bug report to Facebook?

Image courtesy of Shutterstock.

Mediabistro Job Fair

Mediabistro Event

Mediabistro Job Fair

Join us on January 27 at the Altman Building in New York City for an incredible opportunity to meet with hiring managers from the top New York media companies, network with other professionals and industry leaders, and land your next job! Register now!


Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Social Media Manager

Social Media Manager
Santa Monica, CA

Social Media Manager

Honest Tea, Inc.
Bethesda, MD

Product Manager - Community Platform

Maker Media
San Francisco, CA

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us