Facebook pays out US$40k bounties for spotting security bugs

30 Aug 2011

Social networking giant Facebook has so far paid out US$40,000 in rewards to outside experts who successfully pinpointed holes and bugs on its site. One researcher has received a single payout of US$7,000.

Joe Sullivan, Facebook’s chief security officer, said that despite hiring the best and brightest and investing heavily in various protocols, bugs slip through. Facebook has entire teams dedicated to searching and disabling the bugs and it also hires outside auditors to test its code.

“Our all night ‘bug-a-thons’ are also successful in locating and fixing issues. We realise, though, that there are many talented and well-intentioned security experts around the world who don’t work for Facebook. Over the years, we have received excellent support from independent researchers who have let us know about bugs they have found,” Sullivan said in the company’s blog.

He revealed that the program has been expanded to encourage security experts and users who are passionate about internet security to discover and report bugs in Facebook’s code.

So far experts and enthusiasts from 16 countries have taken part

“The program has already paid out more than US$40,000 in only three weeks and one person has already received more than US$7,000 for six different issues flagged.”

He went on: “Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program. Perhaps because of this, there have been several inaccurate reports about how the program works.

“For example, some stories said that the maximum payment would be US$500, when in fact that is the minimum amount we will pay.  In fact, we’ve already paid a US$5,000 bounty for one really good report. On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity.”

Sullivan said that Facebook has a dedicated Platform Operations team that scrutinises partners and we frequently audit their security and privacy practices.

“Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications. People on our site agree that our protections, coupled with common sense, provide a rigorous level of security.

“A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment. Facebook truly does have the world’s best neighborhood watch program, and this program has proven that yet again for us,” Sullivan said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years