Facebook is paying out less for bug reports - and that's a good thing

What's behind Facebook's shrinking bug bounty payouts to researchers who report flaws?
Written by Liam Tung, Contributing Writer

Are web developers and security-minded tinkerers losing interest in Facebook's bug bounty?

Image: kamel Adjenef

Facebook's total annual payout to security researchers for reporting security issues was over $300,000 less in 2015 than it was in 2014 -- and that's good news, according to the social network.

Along with declining total payments to researchers under its five-year-old, 'white hat' bug bounty program, Facebook received fewer bug submissions and valid reports in 2015 than it has in the past two years.

Last year Facebook paid $936,000 to 210 researchers for a total of 526 valid reports, down from the $1.3m it paid to 321 researchers in 2014, and the $1.5m it forked out the year prior.

Valid submissions were a tiny fraction of the 13,233 in total it received from 5,543 researchers last year. Again, this figure was down from 17,011 total submissions it received in 2014 and smaller than the 14,763 it received in 2013.

One figure that did remain fairly constant over the past year was the average payout, which was $1,780 in 2015 and $1,788 in 2014 -- though that's also down from the $2,204 average per reward in 2013. Researchers in India were again the top recipients of payouts this year, while participants from Egypt, Trinidad, and Tobago pipped last year's runners-up, the UK and US.

So what's behind downward trending figures for Facebook's bug bounty? Are web developers and security-minded tinkerers losing interest in Facebook's program?

Not so, according to Facebook security engineer, Reginaldo Silva, who says Facebook is simply getting better at catching traditional web application bugs, such as cross-site scripting (XSS) and Cross-Site Request Forgery (CSRF), early on in the game. That's pushing top performers to focus on higher impact bugs.

"As the program matures and traditional security issues like XSS and CSRF become more difficult to find, many of our top participants are focusing their research on our business logic," said Silva.

Silva said that last year's high impact submissions totalled 102 reports, up by 38 percent on 2014. Last year Facebook reported 61 eligible bugs were "high severity", an increase of 49 percent on the previous year.

The focus on weaknesses in business logic is useful to Facebook since, as Silva points out, it allows the company to "eradicate entire classes of vulnerabilities all at once".

"With our vantage point (and source code access), we can apply a researcher's findings to our entire codebase, and if we find any unintended or potentially confusing behavior, the report is quickly assigned as high impact. Both high-quality reports and the focus on business logic make it easier for our team to better evaluate high-impact submissions," said Silva.

According to Silva, Facebook has now paid out $4.3m to 800 researchers since launching the bug bounty program in 2011.

Google recently reported it had paid more than $6m in rewards since launching its bug bounty in 2010, though its total annual payouts are trending upwards. That's partly attributable to the addition of Android on Nexus devices in June, which contributed $200,000 to the total $2m it paid in 2015, up from $1.5m the previous year.

Read more about Facebook and Google bug bounties

Editorial standards