Header Ads

Unearthing Facebook holes, Mark Zuckerberg company to pay hackers

Russia and Brazil are hacking Facebook, and the social network is paying them to do it.
Facebook paid out $US1.5 million to security researchers worldwide last year as part of its Bug Bounty program, and the two emerging markets were responsible for reporting some of the most critical threats, according to a report Facebook released this week.
The company rewards disclosures about vulnerabilities, and then uses the information to fortify the world's largest social network against hackers.
Russians submitted 38 bugs that Facebook paid $US3961 for each on average, totalling $US150,518. Brazilians found 53 bugs, worth $US3792 on average. Brazil's total take was $US200,976.Bug Bounty: Facebook paid out $US1.5 million to security researchers last year.
Researchers in India contributed the largest number of bugs, at 136, but earned just $US1353 on average for each of them, amounting to a total of $US184,008. Those in the US earned an average of $US2272 each for 92 bugs, totalling $US209,024.
Facebook ranks the severity of bugs by how much damage they could inflict on individual users and on the network as a whole. The more serious a weakness, the higher the payout. While hackers in Russia and Brazil are finding and disclosing fewer bugs to Facebook than those in India and the US, those bugs tend to present a more serious danger.
Such bug bounty programs are a popular way for technology companies such as Google, Mozilla, Firefox maker Mozilla and Hewlett-Packard to secure their services. These programs can be more effective than hiring security auditors and cheaper than dealing with the consequences from a breach.
Collin Greene, a security engineer at Facebook, wrote in a blog post that the company received nearly 15,000 submissions last year, more than triple the number in 2012. Just 687 of those were deemed as valid, and of those, 6 per cent were classified as high severity. The company took about six hours to push out an initial fix for each vulnerability, according to Greene.
"The volume of high-severity issues is down, and we're hearing from researchers that it's tougher to find good bugs," Greene wrote. "To encourage the best research in the most valuable areas, we're going to continue increasing our reward amounts for high priority issues."

No comments