Bug bounty: Facebook paid $1.5M to white hat researchers in 2013

shutterstock_100082474

Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.

Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.

Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.

Researchers from Russia brought in the most per report, earning an average of $3,961 for 38 bugs. Indian researchers and white hat hackers contributed the most valid bugs (136), with an average reward of $1,353. American researchers reported 92 issues, with an average reward of $2,272. Brazil (53) and the U.K. (40) were third and fourth in terms of volume of valid bugs reported.

Greene said that so far this year, researchers are finding it harder to find high-severity bugs. The company is vowing to increase its reward amounts for high-priority issues.

Greene wrote in the blog post what Facebook plans to do this year with regard to the bug bounty program:

  • We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress:https://www.facebook.com/settings?tab=support
  • The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
  • We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Readers: Have you ever submitted a bug report to Facebook?

Image courtesy of Shutterstock.

Social Media 101

Mediabistro Course

Social Media 101

Get hands-on social media training for beginners in our online boot camp, Social Media 101! Starting September 4, social media and marketing experts will teach you the best practices to be successful on social. Register before July 31 to get $50 OFF with early bird pricing. Register now!

 

Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Web Developers / Web Designers

Entertainment Website
New York, NY

Search Marketing Analyst

Greater Than One, Inc.
New York, NY

Director, Digital Advertising Operations

re:fuel agency
Cranbury, NY

UI Designer

Healthx, Inc.
Indianapolis, IN

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Also from Inside Network:   AppData - Facebook & iOS Application Stats   PageData - Engagement Data on Facebook Pages   Facebook Marketing Bible   Inside Network Research
 
home | site map | advertising/sponsorships | about | careers | contact us | help courses | browse jobs | freelancers | events | forums | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us