Facebook paid over $1 mn to security researchers

05 Aug 2013

Social networking giant Facebook said that over the past two years it had paid more than $1 million to security researchers who reported bugs on its website.

According to a PTI report, security researchers from India, which boasts over 78 million Facebook users, accounted for the second-largest payments.

researchers from India, also take the second spot in the list of countries with the fastest-growing number of recipients of its Bug Bounty programme.

A bug is an error or defect in software or hardware that causes programme malfunction, created by conflicts in software when applications are run in tandem.

While bugs can result in software crash or results not expected, certain defects can be used to gain unauthorised access to systems.

Accordig to Facebook, it launched the Bug Bounty programme a little over two years ago to reward security researchers who reported issues and to encourage people to help keep the site safe and secure.

"The programme has been even more successful than we'd anticipated," Facebook said in a statement on its website. "We've paid out more than USD 1 million in bounties and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure."

The social network said 329 people had received rewards, including professional researchers, students and part-timers, with the youngest being 13 years old.

''This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure,'' Collin Greene, security engineer at Facebook, said in a statementl

''After all, no matter how much we invest in security - and we invest a lot - we'll never have all the world's smartest people on our team and we'll never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world,''  Greene's sattement said.

Facebook plans to expand the programme, but had not revealed details. The company goes by a set of criteria to determine the amount to be paid to researchers when they submit a bug, depending the nature and impact of the glitch uncovered.

It major criteria for determining payments are:

Impact: Would the bug allow access to private Facebook data? Would it allow deletion of Facebook data/modification f account? Ease of exploitation played into impact as also bounty Facebook played  ultimately to protect its users, therefore the more users it could affect and the more damage it could do, the higher the impact.

Quality of communication: Can the issue be reproduced in easy-to-follow instructions, whether there was proof of concept, or screenshots?

Target: Facebook.com, Instagram, HHVM (Hitch Hop Virtual Machine), and Facebook's mobile applications have been designated high-value targets, and typically brought in significant bounties than bugs in code not written by Facebook or bugs that were unrelated to user data.

Secondary Damage: There are bigger payouts for bugs that led Facebook to more bugs. In such cases, the initial bug was much more valuable as the subsequent investigation and fixing of the original bug led Facebook to additional issues that the company could fix.