Leave a comment

Facebook's Bug Bounties are Shrinking

Facebook's Bug Bounties are Shrinking
This week, Facebook announced its 2015 figures for its "white hat" bug bounty program.

"Since it launched in 2011, our bug bounty program has received 2,400+ valid submissions and awarded more than $4.3 million to 800+ researchers around the world," said Facebook. In 2015, however, the total annual payout to security researchers for reporting bugs was $300,000 less than the year prior. Last year, Facebook paid $936,000 to 210 researchers who submitted a total of 526 valid reports; the average payout for reporting a valid issue was $1,780. In 2014, Facebook paid $1.3 million to 321 researchers and the year prior the company paid out $1.5 million for bug bounties. These valid submissions are just a fraction of what Facebook receives, but these figures are on the decline as well. In 2015, Facebook received 13,233 total submissions, down from 17,011 in 2014.

While the number of reported bugs and the cost of the bug bounty program are on the decline, the bug bounty team noted an increase in the number of "high impact" submissions. "Our team classified 102 bug bounty submissions as high impact, an increase of 38 percent over 2014," said Facebook. "This growth reflects two particularly important trends. First, the quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook." It added, "The second trend is that we're receiving more reports about inconsistencies in our business logic, which gives us the ability to eradicate entire classes of vulnerabilities all at once."

Photo: © iStock.
Add comment