Facebook announced this week that it’s paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program.
The social network announced the figures, including some preliminary statistics around how the program has fared so far this year, in a blog post late Wednesday night.
> Facebook has paid out $5M in 5 years of bug bounty! <https://t.co/j2vlBfUm1A> > > — Alex Stamos (@alexstamos) October 12, 2016
Facebook paid out a portion of that $5M figure – $611,741 – to 149 researchers in the first half of 2016 alone. Joey Tyson, a security engineer on Facebook’s bug bounty team, said they’ve received an influx of reports this year – 9,000 from January to June. That’s quite the uptick compared to the the 13,233 submissions Facebook said it received in all of 2015.
So far this year, researchers in India, the United States, and Mexico account for most of the payouts, Tyson says.
The company has refined the program over the years, Tyson said. Now when Facebook issues award notifications, it includes information on how the bounty was determined.
“We continue to make these decisions based on real (rather than perceived) risk and will share more details on the thinking behind each award,” Tyson wrote of the notification process.
When the company awarded $16,000 to Arun Sureshkumar, a security researcher in India who found a bug last month, Neal Poole, a member of the company’s security team, told him how Facebook arrived at that figure. Poole told Sureshkumar that his bug merited $16,000 because it could have led to page takeover; also, while investigating his report, they fixed another related issue that increased the payout.
The company was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. The company received some flak early on however, because it was awarding much less than its contemporaries – a flat $500 – to researchers who identified bugs such as script errors and code injection vulnerabilities.
The company eventually increased the amount it paid out to researchers and saw a dramatic spike in submissions; in 2013 it paid $1.5M to 330 researchers and in 2014 it paid $1.3M to 321 researchers. Citing a dearth of XSS and CSRF bugs, the company paid fewer researchers, 210, in 2015. That said, the company still paid almost $1M – $936K – to researchers that year. If they continue with a similar trajectory, today’s statistics put Facebook on track to either tie or exceed the $1.3M it awarded in 2014.
The company made WhatsApp, the popular messaging app it acquired for $19 billion in 2014, eligible for the program earlier this year. In addition to Instagram, Facebook, and Facebook Messenger, the bounty program also includes a handful of lesser known Facebook-branded products, such as Oculus, Atlas, and its open source SQL-based detection tool osquery.
In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The vulnerability allowed the boy, “Jani,” to erase comments from any account.
The company also awarded $15K to a researcher in March for uncovering a password reset bug that affected 1.1 billion accounts and an undisclosed sum in June to a researcher who found bug in Messenger that allowed an attacker to modify chats.