The minimum reward amount is $500, and there is no maximum reward or ceiling.
The social network acclaims that "each bug is awarded a bounty based on its severity and creativity." But only one bounty, or financial reward, is doled out per bug found.
But bounties aren't necessarily easy to come by, as demonstrated by last year's results. Of the aforementioned number of submissions, only 687 were deemed valid and eligible to receive financial compensation.
Facebook security engineer Collin Greene noted in a blog post on Thursday that most bugs derived from "non-core properties," notably websites owned and operated by some of Facebook's acquisitions.
Only six percent, Greene revealed, of eligible bugs were labeled as highly severe.
Every one of the almost 15,000 submissions we received last year was reviewed individually by a security engineer, and our team is still small (here's how to join us: https://fburl.com/16354608). Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately. As mentioned above, we've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later.
Overall, Facebook paid out approximately $1.5 million to 330 researchers worldwide in 2013, with an average reward of $2,204.
When breaking results down by country, Russia topped the scoreboard with an average of $3,961 in rewards for 38 bugs reported. The United States saw 92 bugs deemed eligible, but the average reward was closer to $2,272. India, Brazil, and the United Kingdom were also highlighted in the top five.