In its latest Bug Bounty Program report, Facebook has confirmed that it has fixed 61 eligible bugs which were categorized as High Severity, which was 49% more than last year. As the name suggests, Facebook’s Bug Bounty Program pays people who report bugs to Facebook, more severe the bug, higher the payout. The top five earners last year collectively netted $256,750.
Facebook started the program back in 2011, where it paid the researchers who submitted crucial security flaws and loopholes found in facebook which could harm their infrastructure or users privacy or which could allow illegal access to its server and data. Since the programs inception in 2011, the company has paid more than $3 million to researchers across the globe. In 2014, they paid $1.3 million to 321 researchers all over the world. The average reward in 2014 was $1,788. Researchers from 65 countries received rewards this year, which was a 12% increase from 2013. This brings their tally to 123 countries who have all reported bugs at sometime.
Providing country-wise breakup, India contributed the largest number of valid bugs at 196, with an average reward of $1,343. Egypt was second by volume with 81 bugs and the USA third with 61 bugs, with average rewards of $1,220 and $2,470 respectively. At fourth, UK earned the highest amount per report in 2014, receiving an average of $2,768 for 28 bugs. The Philippines was fifth, earning a total of $29,500 for 27 bugs.
The security flaws doesn’t necessarily belong to the Facebook website, it also could have been for other Facebook products like Instagram, Onavo, Oculus, etc.
Facebook also listed 3 specific bugs which were submitted, under bugs spotlight. Hidden input parameters; a bug where the backend code was receiving multiple values for the same parameter, Amazon S3 bucket; a bug which allowed the attacker to register a S3 bucket, Legacy REST API Calls; a bug which allowed legacy REST API calls to be made on behalf of any Facebook user without any proper authentication, using only their user ID.
You can also submit a bug to facebook and earn money, but before submission it is imperative to make sure that bug is valid and eligible to submit, here are some false positives and commonly listed issues which won’t be considered.
Feature Photo Credit – Maria Elena/Flickr