Skip to main content

Facebook dishes out over $1m to bug hunters in security scheme

Two years after launching its own "bug bounty" programme, Facebook has paid out more than $1 million (£654,000) to security researchers who have discovered vulnerabilities affecting the site.

In a blog post, Facebook security engineer Collin Greene said the social network has awarded bounties to 329 people across 51 different countries, ranging from professional researchers to students. The youngest bounty recipient to date is 13 years old.

Two lucky recipients have even landed full-time jobs on the Facebook security team after discovering security holes that could have left the site and its users vulnerable to malicious hackers, Greene said.

By country, the US leads the pack, boasting the most bounty recipients to date, followed by India, the UK, Turkey, and Germany. Even so, just 20 per cent of bounties paid out so far have been to US-based recipients. The US is also the country with the fastest-growing number of recipients, followed by India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia.

"This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure," Greene wrote. "Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world."

One issue discovered through the bug bounty program could have allowed someone to take over a Facebook group. If a group dropped to just one member, the system offered that person an admin role. A malicious user could potentially abuse this policy by joining a group and blocking every other user, which would trigger the system to promote that person to admin.

"This was an excellent bug, and if we received a report on it today, we'd pay out around $10,000 for it," Greene wrote.

Facebook bug bounties start at $500 (£327), and there is no maximum reward. The company rewards researchers based on four primary factors: impact, quality of communication, target, and secondary damage. High-impact vulnerabilities include those that would allow someone to access private Facebook data, modify an account, or run JavaScript under As a rule of thumb, "bugs that lead us to more bugs get bigger payouts."

For more on Facebook's bug bounty programme, check out its White Hat page.

Most major tech firms have bug bounty programmes nowadays, but one of the industry's biggest players - Microsoft - didn't actually get on board until earlier this year.

On 26 June, Redmond kicked off three bounty programmes for exploits related to Windows 8.1 and Internet Explorer 11, with up to $100,000 (£65,000) in reward money.