Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Facebook Paid Out $4.3 Million in Bounties Since 2011

Facebook has paid out a total of more than $4.3 million since the launch of its bug bounty program in 2011, the social media giant said on Tuesday.

Facebook has paid out a total of more than $4.3 million since the launch of its bug bounty program in 2011, the social media giant said on Tuesday.

According to the company, 5,543 researchers from 127 countries submitted over 13,000 vulnerability reports last year. Of the total, only 526 reports from 210 researchers were valid and resulted in payouts of $936,000, with an average of $1,780. The highest number of rewards went to India, Egypt, and Trinidad and Tobago.

The most noteworthy vulnerability reports from 2015 involved the lack of CSRF protection on Facebook’s messenger.com website, abusing the GraphQL search to make inferences about hidden data, and bypassing CSRF protection.

The total bounty amount decreased in 2015 compared to the $1.3 million paid out in the previous year, but the number of submissions classified as “high impact” increased by 38 percent.

Facebook attributed this growth to the increasing quality of vulnerability reports — clear instructions for reproducing the bug and theoretical attack scenario descriptions.

“The best reports come from researchers who prioritize a few important issues instead of submitting a large number of reports about various low-impact bugs,” Reginaldo Silva, security engineer at Facebook, explained in a blog post.

As Facebook has become better at ensuring that traditional flaws like XSS and CSRF are eliminated during the development cycle, many bounty hunters have turned their attention to business logic inconsistencies. High quality reports describing such issues allow the company to address entire vulnerability classes at once, Silva said.

“Another important part of the program’s success stems from the trust between Facebook and the researcher community, so we invest a lot in those relationships,” Silva said. “We carefully investigate and respond to every submission, and are committed to doing so as promptly as possible, typically within a few days. We reward valid security issues based on several considerations and it’s not uncommon for researchers to tell us that the bounty they received is higher than they expected.”

Advertisement. Scroll to continue reading.

While many researchers are pleased with the way Facebook runs its program, there have been cases where the social media giant quarrelled with bounty hunters over a flaw’s eligibility for a reward and the way vulnerability reports had been handled.

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw

Related: GitHub Paid $100,000 Since Launch of Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...