Header Ads

Bug bounty: Facebook paid $1.5M to white hat researchers in 2013

April 04, 2014
Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.
Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.
Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.
Researchers from Russia brought in the most per report, earning an average of $3,961 for 38 bugs. Indian researchers and white hat hackers contributed the most valid bugs (136), with an average reward of $1,353. American researchers reported 92 issues, with an average reward of $2,272. Brazil (53) and the U.K. (40) were third and fourth in terms of volume of valid bugs reported.
shutterstock_100082474

Greene said that so far this year, researchers are finding it harder to find high-severity bugs. The company is vowing to increase its reward amounts for high-priority issues.
Greene wrote in the blog post what Facebook plans to do this year with regard to the bug bounty program:
  • We created a new, centralized Support Dashboard to give researchers a simple way to view the status of their reports and keep track of the progress:https://www.facebook.com/settings?tab=support
  • The following properties are now in scope: Instagram, Parse, Atlas, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible: https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273
  • We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM.

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )