As part of its “bug bounty” programme, Facebook has so far paid out over $1 million to researchers who have spotted vulnerabilities in the social networking website. By country, the U.S. leads the list of most bounty recipients followed by India. The UK is at the third position while Turkey is fourth. The countries with the fastest growing number of recipients are, in order, the US, India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia.
Facebook security engineer Collin Green says in a Friday blog post that the company had given bounties to 329 people across 51 different countries. Facebook had hired two recipients full-time for discovering loopholes that could have allowed malicious hackers target the network and its users. The youngest bounty recipient is a 13 years old. Facebook’s largest single bounty so far has been $20,000. Some individual researchers have earned more than $100,000.
“This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security — and we invest a lot — we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world,” says Collin Greene.
Facebook further says it had been able to fix some of the serious bugs because of its programme, which vary widely in type and impact. Facebook shares an example of a bug that could have allowed someone to take over a Facebook Group.
“If the membership of a Facebook Group drops to one member, and that member is not an admin, our system will offer the admin role to that member so he or she can invite more members, preserve the content in that Group, or shut down the Group if it’s no longer needed.”
“Totally independent of this, Facebook allows users to block one another for safety and privacy reasons. Blocking limits someone else from being able to see things you post on your Timeline and prevents them from starting conversation with you. Blocking is a powerful action, so the check for users being blocked happens before any of the Group checks. This was an excellent bug, and if we received a report on it today, we’d pay out around $10,000 for it.”
Facebook and other Internet companies have launched bug bounty programmes. Microsoft has launched a similar programme this year. The company launched three bounty campaigns for finding vulnerabilities in Windows 8.1 and Internet Explorer 11.