Facebook doled out $1.5M in bug bounty rewards in 2013

Facebook doled out $1.5M in bug bounty rewards in 2013

Summary: Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.

SHARE:
facebook-carousel-1

For eager web developers or even benevolent hackers just looking to help out, Facebook's bug bounty program continues to serve as a fruitful starting point.

The world's largest social network just published stats for the security research service, proving that the program showed no sign of waned interest last year.

For starters, Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.

The Menlo Park, Calif.-based company first launched its bug bounty program back in 2011.

The guidelines for submission are available in full detail on Facebook itself.

The minimum reward amount is $500, and there is no maximum reward or ceiling.

The social network acclaims that "each bug is awarded a bounty based on its severity and creativity." But only one bounty, or financial reward, is doled out per bug found.

But bounties aren't necessarily easy to come by, as demonstrated by last year's results. Of the aforementioned number of submissions, only 687 were deemed valid and eligible to receive financial compensation.

Facebook security engineer Collin Greene noted in a blog post on Thursday that most bugs derived from "non-core properties," notably websites owned and operated by some of Facebook's acquisitions.

Only six percent, Greene revealed, of eligible bugs were labeled as highly severe.

Every one of the almost 15,000 submissions we received last year was reviewed individually by a security engineer, and our team is still small (here's how to join us: https://fburl.com/16354608). Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately. As mentioned above, we've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.

Overall, Facebook paid out approximately $1.5 million to 330 researchers worldwide in 2013, with an average reward of $2,204.

When breaking results down by country, Russia topped the scoreboard with an average of $3,961 in rewards for 38 bugs reported. The United States saw 92 bugs deemed eligible, but the average reward was closer to $2,272. India, Brazil, and the United Kingdom were also highlighted in the top five.

Topics: Social Enterprise, Privacy, Security, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Between the lines...

    So the headline should have read something like " Supposed to be worth billions but cannot employ bright enough folk or check code before exposing the public to dodgy software"
    dumb blonde