Just three weeks after the launch of the Bug Bounty Program, social networking giant Facebook, announced that is has paid out US$40,000 in rewards so far to expert hackers who have successfully identified and reported security loopholes on the site.
Facebook introduced the Bug Bounty Program in an aim to encourage security researchers to report loopholes and glitches on the social networking site, and as a token of appreciation, Facebook offered them a monetary bounty of $500.
In a blog post by the Chief Security Officer of Facebook, Joe Sullivan stated that, During the past three weeks, Facebook has paid more than $40,000 to security experts around the world, with one individual receiving over $7,000 for identifying 6 different issues, while another person earned $5,000″.
He also clarified that the $500 bounty is a minimum payout, thus attracting more security researchers to participate in the program and earn big bucks. However, it is also clear that the bounty program is only applicable to the Facebook website and has nothing to do with Facebook applications.
In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.
If you are a security researcher, then you might be interested in taking part in the Bug Bounty Program? Here are some eligibility criteria that every researcher must follow –
- You must be the first person to responsibly disclose the bug.
- Give Facebook a reasonable time to respond to your report before making any information public.
- You must live in a country not under any current U.S. Sanctions.
- You agree to report issues that may compromise a user’s information including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code injection.
- Only one payment per bug will be awarded.
- Bugs in third-party applications, third-party websites that integrate with Facebook, Denial of Service Vulnerabilities or Spam or Social Engineering techniques will not be eligible.
While Facebook is being extremely loyal and generous to security researchers by paying them what they deserve, other companies like Google and Mozilla offer similar services. Earlier in August 2010, it was reported that Google gave away a total estimate of $10k of rewards. Mozilla also has the bug bounty program which pays $3,000 in hard cash plus a free Mozilla T-shirt for finding bugs!
On a similar note, in 2007 the Business Software Alliance announced that tipsters who report their company’s illegal use of unlicensed software could earn payouts of up to $1 million.