Facebook pays bug hunters $1 mn; India second biggest recipient

Social networking giant Facebook said it has paid over $1 million in the past two years to security researchers who report bugs on its website, with India second among recipients by country.

India, which has over 78 million Facebook users, is also second on the list of countries with the fastest-growing number of recipients of its Bug Bounty programme.

A bug is an error or defect in software or hardware that causes a programme to malfunction. It often occurs due to conflicts in software when applications try to run in tandem.

While bugs can cause software to crash or produce unexpected results, certain defects can be used to gain unauthorized access to systems.

Facebook said it started the Bug Bounty programme a little more than two years ago to reward security researchers who report issues and to encourage people to help keep the site safe and secure.

“The programme has been even more successful than we’d anticipated,” Facebook said in a statement on its website. “We’ve paid out more than $1 million in bounties and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.”

The social networking major said 329 people have received rewards, including professional researchers, students and part-timers. The youngest recipient was 13 years old.

By country, the U.S. leads the pack, boasting the most bounty recipients to date, followed by India, U.K., Turkey, and Germany. Even so, just 20 percent of bounties paid out so far have been to U.S.-based recipients. The U.S. is also the country with the fastest-growing number of recipients, followed by India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia.

“This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure,” Greene wrote. “Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.”

One issue discovered through the bug bounty program could have allowed someone to take over a Facebook group. If a group dropped to just one member, the system offered that person an admin role. A malicious user could potentially abuse this policy by joining a group and blocking ever other user, which would trigger the system to promote that person to admin.

“This was an excellent bug, and if we received a report on it today, we’d pay out around $10,000 for it,” Greene wrote. While the bug hunters are spread across 51 countries, 20% of the bounty paid so far have gone to US-based recipients, it added.

“Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world,” Facebook Security Engineer Collin Greene said. Two of the bounty recipients have taken up full-time jobs with the Facebook security team, he added.

A little more than two years ago, we launched a Bug Bounty program to reward the security researchers who report issues to us, and to encourage more people to help us keep Facebook safe and secure. So far the program has been even more successful than we’d anticipated: We’ve paid out more than $1 million in bounties, and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.

Looking at some of the data reveals just how well the program has taken off:

329 people have received a bounty so far. Some are professional researchers; others are students or part-timers. The youngest bounty recipient to date is 13 years old.
These researchers are spread across 51 different countries. Only 20% of bounties paid out so far have been to US-based recipients.

The countries with the most bounty recipients are, in order, the US, India, UK, Turkey, and Germany. The countries with the fastest growing number of recipients are, in order, the US, India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia. Our largest single bounty so far has been $20,000. (There is no cap on the size of bounties in our program.

Some individual researchers have already earned more than $100,000.

Two recipients have since taken full-time jobs with the Facebook security team. This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security — and we invest a lot — we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.

Bugs of all shapes and sizes
The bugs we’ve been able to fix because of the program have varied widely in type and impact. Here’s one example, involving

Facebook Groups:

If the membership of a Facebook Group drops to one member, and that member is not an admin, our system will offer the admin role to that member so he or she can invite more members, preserve the content in that Group, or shut down the Group if it’s no longer needed.

Totally independent of this, Facebook allows users to block one another for safety and privacy reasons. Blocking limits someone else from being able to see things you post on your Timeline and prevents them from starting conversation with you. Blocking is a powerful action, so the check for users being blocked happens before any of the Group checks.

Together, these two policies meant a malicious user could theoretically take over a Group by joining it and then blocking every other user in the Group, which would in turn trigger the Group to promote the malicious user to admin.

This was an excellent bug, and if we received a report on it today, we’d pay out around $10,000 for it.

Impact, communication, target, secondary damage
As the program continues to expand, we wanted to shed more light on the general criteria we use to determine the amount to pay researchers when they submit a bug. We base these decisions on four primary factors: impact, quality of communication, target, and secondary damage.

Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under facebook.com? These are high-impact vulnerabilities, and this is the most important attribute we consider. For example, an open redirect is worth less than an XSS, and an XSS that requires user interaction is worth less than one that doesn’t. Ease of exploitation plays into impact as well. Ultimately we pay these bounties to protect Facebook users, so the more users it could affect and the more damage it could do, the higher the impact.

Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as we work to evaluate a submission is crucial. It is important to note that we do not reward anyone for speaking English or for writing long reports.

Target: Facebook.com, Instagram, HHVM, and our mobile applications are considered high-value targets, and typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.

Secondary Damage: Bugs that lead us to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that we can fix.

How to get involved
We are very happy with our progress so far, and we want to thank everyone who has participated — you are the reason this works. If you’re interested in participating in the program, please head to https://www.facebook.com/whitehat/ to learn more.