Bug bounty: Facebook paid $1.5M to white hat researchers in 2013


Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.

Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.

Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.

Researchers from Russia brought in the most per report, earning an average of $3,961 for 38 bugs. Indian researchers and white hat hackers contributed the most valid bugs (136), with an average reward of $1,353. American researchers reported 92 issues, with an average reward of $2,272. Brazil (53) and the U.K. (40) were third and fourth in terms of volume of valid bugs reported.

Greene said that so far this year, researchers are finding it harder to find high-severity bugs. The company is vowing to increase its reward amounts for high-priority issues.

Greene wrote in the blog post what Facebook plans to do this year with regard to the bug bounty program:

  • We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress:https://www.facebook.com/settings?tab=support
  • The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
  • We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Readers: Have you ever submitted a bug report to Facebook?

Image courtesy of Shutterstock.

Tumblr Marketing

Mediabistro Course

Tumblr Marketing

Starting December 1, learn how to market using the most popular visual blog! In this course, you’ll learn how to develop a strategy for your own Tumblr account, get people to read and share your content, and integrate your marketing efforts with other social platforms. Register now!


Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Director of Marketing

Broadway Across America
Baltimore, MD

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us