Get Paid to Squash Bugs - Facebook Bounty Program Hits 5 & $5m

This year marks the 5th anniversary of the Facebook Bug Bounty Program. No, it's not some dystopian recruitment service to fight giant alien bugs a la Starships Troopers, nor is it some grand search for the long-lost Millenium Bug. Instead, the program encourages users to find harmful bugs and exploits in return for a compensation, recognition, a big bag of likes, or a pat on the back from the Zuck himself. All these goodies add up, and it turns out Facebook has given out $5 million over the five years the program has been active.

Bug bounty programs have been around for a while, with the creation of the first being attributed to Jarrett Ridlinghafer at Netscape in the mid-90s. The company had great success with the program, and it has become a common feature for outfits with a large, dedicated user-base. Notable bug bounty benefactors of course include Facebook (who at one point teamed up with Microsoft), Google, and even the US Department of Defence.

Facebook's program started in 2011, and they've paid out the impressive aforementioned $5 million over that time. There's a whole raft of guidelines to wade through, but anyone with a keen eye for code can get stuck in, and the program of course relies on the wider community to do so. Joey Tyson, a Facebook Security Engineer, described how 'launching and running a program of this size for five years is not easy --- and we couldn't have done it without the support of the broader security research community. In fact, we discovered many of the people now on our team through the community of researchers submitting reports.'

When submitted reports have been verified, Facebook then pays out based on the severity of the vulnerability. Facebook haven't released totals for the five years, but to give you some idea of the scope, there are some stats for the first half of 2016. There were:

• 9000 reports
• $611,741 to 149 researchers (the total $5 million has been to 900 researches).
• Top three countries by number of payouts:
• India
• USA
• Mexico

Thankfully, Facebook's payment process has now undergone an overhaul, such as automation and payment in Bitcoins. Earlier in the program, however, Facebook used to pay its bounty hunters with this snazzy white hat debit card (it stopped in 2014):

vigneshkumar on Flickr

Though the cards were kind of cool, they weren't popular and were kind of redundant, considering people just want their money in their own account. It certainly beats Yahoo's old payment method, though, which was to paid their users a measly $12.50 a bug. What's worse is that this was a store credit, redeemable on Yahoo merch. This obviously caused a stir, even being labelled as T-Shirtgate. Facebook, too, has been involved in controversies surrounding the Bug Bounty Program. A Palestinian security researcher named Khalil claimed that he wasn't paid after reporting a bug, which was dismissed as not dangerous. Khalil proved the danger to be real by posting on Mark Zuckerberg's own Facebook page. It seems Khalil was right to be sad that Facebook was ignoring his bug, legitimate grieve ants you might say.

Facebook states they will continue to improve the program and look to the future, 'making changes to better support our bug bounty community' and sharing 'more educational resources on security fundamentals and topics specific to our products.' The program definitely seems like a good way to earn some cash while improving user security, so get involved if you have the skills. Bounty Hunting needs you!

Bug the Bounty Hunter

Sam Franklin

With a masters in Literature, Sam inhales books and anything readable, spending his working hours reformulating the info he gathers into digestible articles. When not reading or writing, he likes to put his camera to work around the world, snapping street photography from Stockholm to Tokyo. Too much of this time spent in Japan teaching English has nurtured a weakness for sashimi, Japanese whisky, and robot cafés. Follow him @SamF_Songbird

Contact us on Twitter, on Facebook, or leave your comments below. To find out about social media training or management why not take a look at our website for more info: TheSMFGroup.com