2011-09-01
Abstract
Facebook introduces bug bounty, pays out $40,000 in first month.
Copyright © 2011 Virus Bulletin
Facebook has paid out a total of $40,000 in the first three weeks of its ‘bug bounty program’, in which researchers are given a financial reward for reporting new bugs found in the company’s software code. The scheme was announced at the start of August, with a minimum payment of $500 for the disclosure of previously undiscovered security bugs.
In the first three weeks of the programme one individual was awarded more than $7,000 for having given the company a heads up on six different issues, while another received $5,000 for ‘a really good report’.
In offering a reward for bug disclosure Facebook follows in the footsteps of other companies including Google and Mozilla. Last year Mozilla – whose bounty programme has been running for six years – increased the reward it pays for reports of security flaws in its software to $3,000 (plus a Mozilla T-shirt). Meanwhile Google, whose bounty programme was announced 20 months ago, pays a maximum of $3,133.7 for a single bug (but no T-shirt), with the base reward for less serious bugs remaining at $500.
Facebook has attracted criticism from within the security industry for its lack of monitoring of the third-party applications and websites that are built via the Facebook Platform, and has been asked whether it plans to extend the bounty programme to cover these. However, the company says that it would not be practical to do so because of the sheer number of third-party services implicated.
