Facebook's bug bounty: Now it's paid out $5m for security flaws to 900 hunters

Facebook's bug bounty program turns five this year and it's on track once again to pay out about $1m this year to researchers.
Written by Liam Tung, Contributing Writer

Facebook says it's received 9,000 bug reports in the first half of this year alone.

Image: Kamel Adjenef

Facebook has paid out $5m to researchers over five years for reporting bugs in its social-media, messaging, and hardware platforms.

It kicked off its bug bounty program in 2011, which now, in its fifth year, pays researchers for reporting bugs not just in Facebook sites and apps, but also on Instagram, Oculus Rift, Free Basics, and as of this year WhatsApp.

According to Facebook, the program has paid out $5m to over 900 researchers in that time. Over $610,000 of that went to 149 researchers in the first half of 2016, mostly to researchers in India, the US, and Mexico, according to Joey Tyson, a security engineer on the Facebook Bug Bounty team.

Tyson said Facebook received 9,000 bug reports in the first half of this year but didn't reveal how many it has accepted as valid. It's likely to be very few though, given that the 13,233 bug reports it received last year translated to 526 valid reports and $936,000 paid to 210 researchers.

The program allows Facebook to improve the security of products that are used by billions of people by tapping researchers from across the globe who might find high-impact bugs missed by Facebook's product security team during development.

For example, Indian security engineer Anand Prakash received $15,000 in March for a simple bug that could have let him hijack any one of Facebook's 1.4 billion accounts due to a missing password security feature on Facebook's beta site.

The first-half figures suggest the program may exceed the $936,000 it paid last year and return to previous levels. It paid $1.3m to 321 researchers in 2014, and $1.5m in 2013.

Besides plugging security holes, Facebook also uses the program as a way to recruit skilled hackers.

"Launching and running a program of this size for five years is not easy, and we couldn't have done it without the support of the broader security research community. In fact, we discovered many of the people now on our team through the community of researchers submitting reports," Tyson writes.

He said Facebook will introduce changes to keep researchers happy. As he notes, Facebook has already introduced payments in Bitcoin and automated its payment system, but will also begin to offer details on the rationale for the awards it's given.

Read more about Facebook

Editorial standards