Facebook has been at the center of seemingly-endless privacy controversies this year, but there is at least one positive development regarding the company’s security. According to a report in WIRED, Facebook paid out $1.1 million this year to security researchers through its bug bounty program. It also paid out its largest-ever single bounty of $50,000.

In the case of the $50K bounty, researchers discovered a major flaw in Facebook’s code that could have allowed a rogue developer to receive notifications on user activity. In total, Facebook said it received 17,000 reports this year and paid out 700 of them for an average of $1,500. However, while the bug bounty program is an effective method to fill some of Facebook’s blind spots, experts stress that it can’t solve every security problem.

“As a big proponent of bug bounties, even I don’t think we can stop with them, we still need to do more,” Alex Rice, Chief Technology Officer of bug bounty firm HackerOne, told WIRED. “Anyone who positions a bounty program as a silver bullet or presents their organization as impenetrable is misleading themselves and misleading the public.”

In other words, while it’s a good thing Facebook is willing to pay security experts generously for their assistance, the company needs to be doing a lot more of the work itself.