Facebook doled out $1.5M in bug bounty rewards in 2013

Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.
Written by Rachel King, Contributor

For eager web developers or even benevolent hackers just looking to help out, Facebook's bug bounty program continues to serve as a fruitful starting point.

The world's largest social network just published stats for the security research service, proving that the program showed no sign of waned interest last year.

For starters, Facebook received 14,763 bug submissions in 2013, a whopping 246 increase in one year.

The Menlo Park, Calif.-based company first launched its bug bounty program back in 2011.

The guidelines for submission are available in full detail on Facebook itself.

The minimum reward amount is $500, and there is no maximum reward or ceiling.

The social network acclaims that "each bug is awarded a bounty based on its severity and creativity." But only one bounty, or financial reward, is doled out per bug found.

But bounties aren't necessarily easy to come by, as demonstrated by last year's results. Of the aforementioned number of submissions, only 687 were deemed valid and eligible to receive financial compensation.

Facebook security engineer Collin Greene noted in a blog post on Thursday that most bugs derived from "non-core properties," notably websites owned and operated by some of Facebook's acquisitions.

Only six percent, Greene revealed, of eligible bugs were labeled as highly severe.

Every one of the almost 15,000 submissions we received last year was reviewed individually by a security engineer, and our team is still small (here's how to join us: https://fburl.com/16354608). Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately. As mentioned above, we've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.

Overall, Facebook paid out approximately $1.5 million to 330 researchers worldwide in 2013, with an average reward of $2,204.

When breaking results down by country, Russia topped the scoreboard with an average of $3,961 in rewards for 38 bugs reported. The United States saw 92 bugs deemed eligible, but the average reward was closer to $2,272. India, Brazil, and the United Kingdom were also highlighted in the top five.

Editorial standards