Based on the fact that strength is in numbers, Facebook started a program that involves the remuneration of anyone who finds security vulnerabilities in the social network, starting from $500 per bug, depending on the complexity of the discovered element.
Until now, Facebook spent not less than $40,000 in rewards for the bug-trackers. This may not seem a large sum, but considering that this program started at the beginning of August, it still gives an idea about what the company can do. Even though the company certainly affords hiring security experts, it decided to rely on the masses. One of the main advantages of this decision is represented by the increased speed at which the bugs are discovered.
Facebook Chief Security Officer Joe Sullivan declared: “We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about internet security.”
It was not long till bogus reports started to appear, but along with them, there were also numerous authentic bug reports. Joe Sullivan also admitted on Facebook’s security blog that the company was impressed with the reaction of the independent security experts from all around the world. Since there is no geographical delimitation for this bounty-hunt, Facebook has on its side people from all the time zones, so bug reports are actually received around the clock.
It seems that not only the complexity of the reported bugs plays a major role in determining the bounty, but also the number of bugs. While a bug hunter received $5,000 for reporting a major vulnerability, another one got more than $7,000 for revealing six smaller bugs.
At the moment, Facebook does not want to extend this program to the entire platform of the social network. Joe Sullivan revealed that the reason behind this action is the enormous number of third-party services that are included in Facebook. While Google will offer no more than $3,133 for a bug report, Microsoft established the top limit at $250,000. However, Facebook did not set a maximum sum, so it all depends on how serious the bugs discovered really are.