Facebook pays out under bug-hunter bounty program

Facebook’s bug-hunter bounty program has paid out more than $40,000 in just three weeks.

The company launched the program at the beginning of this month, promising $500 for each vulnerability revealed – more on exceptional cases.

Since then, the company says it’s had to deal with bogus reports from people who were simply looking for publicity – but has had many more genuine bug reports.

It has been fascinating to watch the roll-out of this program from inside Facebook.  First, it has been amazing to see how independent security talent around the world has mobilized to help,” says chief security officer Joe Sullivan on the company’s security blog.


“We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about internet security.”

He says that Facebook has already paid out tens of thousands of dollars, with one ‘really good report’ netting its finder $5,000. Another individual has received more than $7,000 for flagging six different issues.

Facebook doesn’t give a top figure for what it’s prepared to pay; Google gives up to $3,133, and Microsoft a whacking $250,000.

Sullivan says that, despite user requests, it’s not possible to extend the program to the Facebook Platform – there’s simply too many different third party services involved. It’s a fair enough point – although rather a shame, given that this is where the vast majority of problems arise.