Facebook has announced that India has topped the list of 127 countries whose researchers contribute to its bug bounty program. It also holds the top position for the most bounties paid. Facebook representatives visited the country for the Nullcon conference along with bug bounty teams from Google, Microsoft, Bugcrowd, and Mozilla to thank the security researchers in India. During the event Facebook talked about how they calculated the risk associated with a bug as well as the way it calculates bounties. In addition. They also informed the researchers on how to maximize the bounties.
Read the complete press release below
The security community in India is strong and growing every day. India has long topped the list of 127 countries whose researchers contribute to our bug bounty program. It also holds the top position for the country receiving the most bounties paid. Naturally, we were eager to meet some of these researchers who have helped us better protect the people on Facebook. We don't often get the opportunity to meet with them in person and sometimes, that's exactly what's needed for relationships to move forward.
One of the best ways we can advocate for the security researcher community is to acknowledge that the success of our bug bounty program isn't just about the individual vulnerability reports we receive. It's also about building positive relationships with thousands of people whose technical and cultural experiences may differ from our own. These relationships require trust and we appreciate that so many researchers in India have demonstrated their trust in us through the numerous bugs they've reported over the years.
We arrived in Goa for the Nullcon conference (along with bug bounty teams from Google, Microsoft, Bugcrowd, and Mozilla) to say “thank you” and celebrate the work of India's security research community. Facebook receives more and more high-impact bugs from India each year, reflecting the growing sophistication and technical capabilities of the countries engineering schools and cybersecurity programs. We also hoped conference attendees would share feedback with us on what we could do better to serve their needs and provide more support for researchers who want to maximize the value of their reports.
To our delight, the researchers we met were forthcoming with feedback and questions. What transpired was an invaluable exchange of information and experiences about how our team evaluates vulnerability reports, what makes good reports stand out, and what kind of bugs generate the highest payouts. We know many researchers in India (and around the world) weren't able to attend Nullcon, so we're publishing a recap of some of those discussions here for everyone's benefit.
The Facebook bug bounty program pays out based on a bug's risk, rather than its complexity or cleverness. This means you can maximize the value of your report by focusing on high-impact areas and submitting good quality reports. We strongly recommend you check out our policy at facebook.com/whitehat before starting your investigation. Below are a few highlights we shared with the community at Nullcon.
How we calculate risk
First, we look at the potential impact of a bug, what could possibly go wrong, and who would be affected. The primary goal of our program is to protect the people who use Facebook, so bugs that impact end users are the most important to us. We also consider the difficulty of exploiting the vulnerability and what kind of resources or technical skills a successful attack would require. Our team then looks at whether any existing features can already mitigate the issue, e.g. in many cases rate-limiting mechanisms prevent brute-force attacks. Another component of calculating risk is evaluating whether the reported behavior violates the intended use of our product. Sometimes what may seem like a bug is actually a feature designed to give people a better experience on Facebook.
How we calculate bounties
After evaluating the considerations above, our team determines a base payout for each eligible report. The amount we pay for bounties is generally consistent across similar issues, but it can change as the risk landscape evolves. We also reserve the option to award researchers more than the base amount if the report itself exhibits a high level of clarity, sophistication, and detail.
How you can maximize your bounties
The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact. We recently published our 2015 highlights and noted that many of our top participants are focusing their research on inconsistencies in business logic rather than traditional security issues. These vulnerabilities often receive higher pay outs due to their proliferation across our platform. So, if you're looking to maximize your bounties, focus on quality over quantity.
The second most important factor is to provide all the information you can in your initial submission with detailed reproduction steps. Our team processes hundreds of reports a day and having a complete picture of the issue you're reporting makes it possible for us to quickly deploy fixes and confirm your bounty. We published a guide on how to write a great submission here.
Be mindful that some acquired platforms and products that aren't part of facebook.com are not currently in scope for our bug bounty program and aren't eligible for bounties.
Finally, remember our disclosure guidelines and keep your research focused on the vulnerability. Do not move into exploiting the bugs you find or your reports could become ineligible for a bounty.
We are grateful to the security community in India for their hospitality and interest in our program. We're looking forward to strengthening our relationship with these researchers and building even more trust with the global research community.