Roughly two years ago social networking website, Facebook, initiated a Bug Bounty Program in order to reward people, who will found bugs in the site and also to push people to make the site more secure and safe. Now after two years, Facebook says its Bug Bounty Program proved more successful than expectations and through the initiative the social networking site has paid over $1 million in bounties and collaborated with different researchers from across the world. Facebook revealed these details through a blog post, which it made on August 2nd. Below are a few excerpts from that post:
“Looking at some of the data reveals just how well the program has taken off:
329 people have received a bounty so far. Some are professional researchers; others are students or part-timers. The youngest bounty recipient to date is 13 years old.
These researchers are spread across 51 different countries. Only 20% of bounties paid out so far have been to US-based recipients.
The countries with the most bounty recipients are, in order, the US, India, UK, Turkey, and Germany. The countries with the fastest growing number of recipients are, in order, the US, India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia.
Our largest single bounty so far has been $20,000. (There is no cap on the size of bounties in our program.
Some individual researchers have already earned more than $100,000.
Two recipients have since taken full-time jobs with the Facebook security team.
This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure. After all, no matter how much we invest in security — and we invest a lot — we’ll never have all the world’s smartest people on our team and we’ll never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world.
Bugs of all shapes and sizes
The bugs we’ve been able to fix because of the program have varied widely in type and impact. Here’s one example, involving Facebook Groups:
If the membership of a Facebook Group drops to one member, and that member is not an admin, our system will offer the admin role to that member so he or she can invite more members, preserve the content in that Group, or shut down the Group if it’s no longer needed.
Totally independent of this, Facebook allows users to block one another for safety and privacy reasons. Blocking limits someone else from being able to see things you post on your Timeline and prevents them from starting conversation with you. Blocking is a powerful action, so the check for users being blocked happens before any of the Group checks.
Together, these two policies meant a malicious user could theoretically take over a Group by joining it and then blocking every other user in the Group, which would in turn trigger the Group to promote the malicious user to admin.
This was an excellent bug, and if we received a report on it today, we’d pay out around $10,000 for it.”