Facebook has revealed it has so far paid more than $40,000 to people who have found security bugs in its service. The company launched its security bug bounty program at the end of last month but says the number in question is for three weeks' worth of finding flaws. Palo Alto did not reveal how many bugs have been reported, nor how many have been fixed.
Under the new program, Facebook compensates security researchers for discovering vulnerabilities in the service's code. To cash in, hackers must sign up at Facebook's new whitehat hacking portal, called Information for Security Researchers, over at facebook.com/whitehat and report the issues directly to Facebook's security team.
Facebook offers a base payment of $500 (one bounty per security bug) but says it is willing to pay more if the discovered flaw is a major one. Joe Sullivan, Facebook's chief security officer, wanted to emphasize this last part.
"Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program," Sullivan said in a statement. "Perhaps because of this, there have been several inaccurate reports about how the program works. For example, some stories said that the maximum payment would be $500, when in fact that is the minimum amount we will pay."
Facebook has confirmed that one person has already received more than $7,000 for six different issues flagged while at the same time the website paid a $5,000 bounty for one really good report. On the other hand, the company has had to deal with bogus reports from people who were just looking for publicity.
Some people have has Facebook to extend the security bug bounty program to the Facebook Platform, which includes the Facebook apps and websites with Facebook plugins. The social network says this is not practical because it would implicate hundreds of thousands of third-parties.
Instead, Facebook says it has a dedicated Platform Operations team that scrutinizes the company's partners and frequently audits their security and privacy practices. Facebook has also built a number of backend tools that help automatically detect and disable spamming or malicious applications.
"It has been fascinating to watch the roll-out of this program from inside Facebook," Sullivan said in a statement. "First, it has been amazing to see how independent security talent around the world has mobilized to help. We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security. Facebook truly does have the world’s best neighborhood watch program, and this program has proven that yet again for us."