Facebook Awards $5m As Bug Bounty Scheme Turns Five

Facebook said it has awarded more than $5 million (£4m) through its bug bounty programme since the scheme launched five years ago.

The programme, similar to those operated by Microsoft, Google, HP and others, is intended to encourage researchers to independently track down bugs before they are found by attackers.

WhatsApp added

Since its foundation in October of 2011 it has paid out around $1 million a year for bugs found in Facebook, as well as other company properties including Instagram, Oculus Rift and Free Basics. This year Facebook added WhatsApp to the programme.

After paying out $1.5 million in 2013 and $1.3 million in 2014, Facebook awarded $936,000 to researchers last year.

But the figures so far for this year suggest a higher total, with $611,741 paid to 149 researchers out of a total of 9,000 reports.

In all more than 900 researchers have been paid over the five-year period, with most coming from India, followed by the US and Mexico.

In March Facebook paid researcher Anand Prakash $15,000 for spotting a bug that could have allowed anyone to hijack any Facebook account via a missing password security feature on a beta-testing site.

‘Real risk’

Facebook said it has added information on how specific bounties were calculated to its notifications, saying it calculates the rate based on “real (rather than perceived) risk”.

The programme has expanded this year to include Bitcoin payments and payments have been automated to speed up the process, according to Joey Tyson, a security engineer on the Facebook Bug Bounty team, said in a blog post.

The programme has been part of a wider industry trend and Tyson said Facebook has had broad support from IT security professionals.

“In fact, we discovered many of the people now on our team through the community of researchers submitting reports,” he wrote.

This year Apple and security firm Kaspersky Lab launched bug bounty schemes, as did porn site Pornhub.

Are you a security pro? Try our quiz!