Facebook’s Bug Bounty Program Paid Over $1M To 329 People In 2 Years. India Second Biggest Recipient

Facebook started Bug Bounty Program two years back and according latest announcement more than $1 million has been paid in rewards out to 329 people in 51 countries.

facebook logo

Enticing users to share if they have found security vulnerability in a system and rewarding genuine ones along with fixing them is one of the accepted ways by tech giants to keep platforms bug free. The world’s largest social network Facebook started a similar program 2 years back – Bug Bounty Program and according to a latest announcement more than $1 million has been paid in rewards out to 329 people in 51 countries.

Facebook bounty program India

Security Engineer Collin Greene reported in a note on the Facebook security page –

“So far the program has been even more successful than we’d anticipated: We’ve paid out more than $1 million in bounties, and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.”

Collin accepts that the progress has been satisfying and has had significant impact in keeping Facebook secure.

“After all, no matter how much we invest in security — and we invest a lot — we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable,” Collin added on the necessity of such programs.

The program has also allowed Facebook to get in touch with potential employees and two recipients from the program have taken full-time jobs with the Facebook security team.

Besides this Collin has shared some noteworthy data –

1. 329 people across 52 countries have received a bounty so far. The youngest bounty recipient to date is a 13 year old user.

2. Only 20% of bounties paid out so far have been to US-based recipients. India is the second biggest recipient of the most bounties followed by UK, Turkey, and Germany. Besides these countries US, India, Turkey, Israel, Canada, Germany, Pakistan, etc. are the countries that have the fastest growing number of recipients.

3. Facebook says that till date there has been no cap on the size of bounties and the largest single bounty so far has been $20,000. Some individual researchers have already earned more than $100,000.

The note also shares details about an excellent bug which related to Facebook Groups. The bug was reported recently and Facebook paid out around $10,000 for it.

Harsha Vardhan Boppana, the bounty receiver from India

A year back Facebook had rewarded two Indians – Rishal Dwivedi and Harsha Vardhan Boppana with White Hats and Bounty Program for reporting 2 bugs in its code.

Harsha is an engineering student and his interest lies in ethical hacking. He had shared with me that he had reported 5 bugs out of which Facebook had accepted 2 of them, for which he received $1000. On reading the Facebook announcement that the social network has paid 329 people, he had this to share with his friends on Facebook:

“Happy that I was one of the 329 Facebook BugBounty Program recipients as per official records. Logical thinking always helps in finding bugs that can’t be found by any tools.”

Four primary factors considered to determine the pay

The Facebook announcement also made sure that they shed more light on the general criteria to determine the amount to pay researchers when they submit a bug. The basis of these decisions is based on four primary factors stated in Collin’s note:

1. Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under Facebook.com? These are high-impact vulnerabilities, and this is the most important attribute we consider. For example, an open redirect is worth less than an XSS, and an XSS that requires user interaction is worth less than one that doesn’t. Ease of exploitation plays into impact as well. Ultimately we pay these bounties to protect Facebook users, so the more users it could affect and the more damage it could do, the higher the impact.

2. Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as we work to evaluate a submission is crucial. It is important to note that we do not reward anyone for speaking English or for writing long reports.

3. Target: Facebook.com, Instagram, HHVM, and our mobile applications are considered high-value targets, and typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.

4. Secondary Damage: Bugs that lead us to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that we can fix.

Have you witnessed a security flaw in Facebook then you can report it here and you too can make some bounties.

Image courtesy: Philly.com