Bounty Hunters reap rewards on Facebook, India turns in most fixes

Bug Hunters are getting serious cash from Facebook for spotting some of the site's deadly pests
Written by Rajiv Rao, Contributing Writer
Bugs one
Facebook paid $1.5M to 330 researchers across the globe in 2013 for finding bugs

Bounty hunters apparently had a field day last year. But instead of chasing wanted criminals through the seamy underbellies of urban cities or tracking man-eating lions terrorizing villagers in the Serengeti plains, today’s bounty hunter of fame targets a scourge  very different from the above: namely, computer bugs, or potential loopholes in security.

And their sugar daddy, Facebook, is willing to pay them cold hard cash to do so.

According to this post from Facebook's Collin Greene, his company paid US$1.5M to 330 researchers across the globe in 2013 for finding bugs, most of them in what the company describes as 'non-core properties,'—in other words, websites of acquired companies. Apparently the total dished out since 2011 has been US$2 million which makes last year a particularly lucrative one for these bug hunters.

bug two

India, land of techies, turned out to spot the most number of bugs at 136. However, its average reward was the lowest amongst the top four at US$1,353. Russians showed that less may just be more by earning the highest reward earning the highest average of US$3,961 for just 38 bugs. The USA fielded 92 bugs and averaged US$2,272 in rewards followed by Brazil and the UK in terms of volume, with 53 bugs and 40 bugs respectively, and average rewards of US$3,792 and US$2,950.

Here are some more highlights extracted from Greene's page:

  • Facebook received 14,763 submissions in 2013, a 246 percent increase from 2012.
  • Of these, 687 were valid and eligible to receive rewards.
  • 6 percent of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, the median response time for these high-severity issues was about 6 hours.
  • 2014 is looking good so far. The volume of high-severity issues is down, and researchers say that it's tougher to find good bugs.

India may be known for its techies but one country that is probably less heralded than it should be for its software talent is Brazil. So, it’s fitting that the biggest paycheck (US$33,500) for bug-spotting went to a Brazilian, Reginaldo Silva, for "discovering an XML external entities attack capable of reading files from a Facebook web server to an internal service that could run code." You can read more about the fix on Reginald’s website here.

Bug hunters have it good today. Silva says he’s received a number of full-time job offers since then and settled for one from Facebook as a member of its product security team where he will be "writing code, reviewing software for bugs and working with outsiders as part of the bug bounty program."

Editorial standards