Facebook doled out $1.5M in bug bounty rewards in 2013

Summary:Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.

facebook-carousel-1

For eager web developers or even benevolent hackers just looking to help out, Facebook's bug bounty program continues to serve as a fruitful starting point.

The world's largest social network just published stats for the security research service, proving that the program showed no sign of waned interest last year.

For starters, Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.

The Menlo Park, Calif.-based company first launched its bug bounty program back in 2011.

The guidelines for submission are available in full detail on Facebook itself.

The minimum reward amount is $500, and there is no maximum reward or ceiling.

The social network acclaims that "each bug is awarded a bounty based on its severity and creativity." But only one bounty, or financial reward, is doled out per bug found.

But bounties aren't necessarily easy to come by, as demonstrated by last year's results. Of the aforementioned number of submissions, only 687 were deemed valid and eligible to receive financial compensation.

Facebook security engineer Collin Greene noted in a blog post on Thursday that most bugs derived from "non-core properties," notably websites owned and operated by some of Facebook's acquisitions.

Only six percent, Greene revealed, of eligible bugs were labeled as highly severe.

Every one of the almost 15,000 submissions we received last year was reviewed individually by a security engineer, and our team is still small (here's how to join us: https://fburl.com/16354608). Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately. As mentioned above, we've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.

Overall, Facebook paid out approximately $1.5 million to 330 researchers worldwide in 2013, with an average reward of $2,204.

When breaking results down by country, Russia topped the scoreboard with an average of $3,961 in rewards for 38 bugs reported. The United States saw 92 bugs deemed eligible, but the average reward was closer to $2,272. India, Brazil, and the United Kingdom were also highlighted in the top five.

Topics: Social Enterprise, Privacy, Security, Web development

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.