Threat Management, Vulnerability Management

Facebook has already paid $40,000 for bug finds

Just three weeks after launching its new bug bounty program, Facebook has already doled out $40,000 for the private disclosure to researchers.

Facebook late last month announced it would provide monetary awards for the private disclosure of certain flaws that may “compromise the integrity or privacy of Facebook user data.”

Since then, one researcher already has received more than $7,000 for reporting six different issues, Joe Sullivan, Facebook's chief security officer, wrote in a blog post Monday on the Facebook Security page. And while $500 is the minimum bug reward, the social media giant has furnished $5,000 for one “really good report."

Since launching the program, Facebook has heard from researchers in more than 16 countries. Though the issue of whether companies should provide  incentives for the disclosure of security vulnerabilities has garnered debate among security professionals, Sullivan said Facebook's program has been more valuable than anticipated.

“It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring,” Sullivan wrote. “The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code.”

As a downside, however, Facebook has had to deal with fake reports from individuals who are just looking for notoriety, he added.

Also, while the program has largely been a success, it will not be extended to the Facebook Platform or third-party applications and websites.

Instead, the company will deal with threats on these programs by relying on tools to automatically detect and shut down malicious and spam-sending applications.

“We have a dedicated platform operations team that scrutinizes these partners and we frequently audit their security and privacy practices,” Sullivan wrote.

Several other companies have bug bounty programs, including Google, Mozilla and Barracuda Networks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.