Facebook's bug bounty program paid out $1.3 million in 2014

Facebook has doled out roughly $3 million since it launched the bug bounty program in 2011.
Written by Rachel King, Contributor

Facebook paid out $1.3 million to developers and security enthusiasts through its bug bounty program last year, according to an annual update from the social network.

That's down from $1.5 million in 2013, but the pool of bug submissions grew by 16 percent to 17,011 over the course of the year -- up from 14,763 entries in 2013.

The average reward in 2014 was $1,788 as 321 researchers worldwide participated. The top five earners last year collectively netted $256,750.

Facebook has doled out roughly $3 million since it launched the bug bounty program in 2011.

India led as the largest market in the program with 196 bugs, rounding out an average reward of $1,343.

Egypt and the USA followed in second and third respectively by volume with 81 bugs and 61 bugs each, producing average rewards of $1,220 and $2,470.

The United Kingdom and the Philippines rounded out the top five leaderboard at fourth and fifth place respectively.

Among the examples of submitted bugs included one involving Facebook's popular photo sharing subsidiary Instagram.

Still in the process of shifting its datacenter resources to its new parent company from Amazon Web Services, one bug cited in a blog post on Wednesday revealed an issue involving Amazon's Simple Storage Service (S3):

The regex that determined if an S3 bucket was legitimate or not had an error -- it allowed S3 buckets that Instagram did not control, letting the submitter register buckets like: distilleryimage00.s3.amazonaws.com. This is worth calling out because many websites use S3 and might be vulnerable to some variation of this issue.

The bug bounty program continues to be a fruitful resource for the world's largest social network, counting more than 139 billion users worldwide.

Last October, Facebook doubled rewards for developers who discover flaws in the firm's advertising systems, encouraging white hat hackers to report security vulnerabilities following an internal security audit.

The Menlo Park, Calif.-based company boasted this week it has already received more than 100 valid reports since the start of 2015.

Editorial standards