Facebook Bug Bounty Program In 2013: 14,763 Submissions, 687 Awards Averaging $2,204


NoBug650Facebook offered some statistics about its bug bounty program in a note on its Protect the Graph page, saying that it received 14,763 submissions in 2013, up 246 percent from the previous year, and 687 of those submissions qualified for awards.

The social network said it has paid out more than $ 2 million since starting its bug bounty program in 2011, and $ 1.5 million of that total came in 2013, to 330 researchers, with an average reward of $ 2,204. Facebook added that most of the bugs were discovered in “noncore” properties, such as websites operated by companies it has acquired.

According to Facebook, every submission was reviewed individually by a security engineer, and 6 percent were categorized as high-severity, with a median response time of about six hours.

As for individual countries:

  • Researchers in Russia earned the highest average amount per report in 2013, $ 3,961, reporting a total of 38 bugs.
  • India was responsible for the most valid bugs, 136, with payouts averaging $ 1,353.
  • India was followed by: the U.S. (92 valid bugs, $ 2,272 average reward); Brazil (53 bugs, $ 3,972); and the U.K. (40, $ 2,950).

Security Engineer Collin Greene said in the note:

2014 is looking good so far. The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs. To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.

One of the most encouraging trends we’ve observed is that repeat submitters usually improve over time. It’s not uncommon for a researcher who has submitted non-security or low-severity issues to later find valuable bugs that lead to higher rewards. To help encourage the best research, we’re making a few changes:

  • We created a new, centralized support dashboard to give researchers a simple way to view the status of their reports and keep track of the progress.
  • The following properties are now in scope: Instagram, Parse, Atlas Solutions, and Onavo.
  • We’re no longer going to reward text injection reports. Rendering text on a page isn’t a security issue on its own without some kind of additional social engineering, and we don’t reward phishing reports.
  • We created a reference list of commonly reported issues that are ineligible.

We will continue to increase bounties over time for high-impact issues. In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile applications, or HHVM.

Readers: Are you surprised by the number of bugs reported to Facebook in 2013?

Images courtesy of Shutterstock.