It has only been 21 days since the Facebook Bug Bounty Program was announced and yet the company has already paid a total of $40,000 to bounty hunters. The program’s aim is to strengthen Facebook’s defense against attacks by fixing bugs within the system. Their strategy is to entice security researchers with the promise of money if they find a bug and report it to Facebook first instead of making it known to the public immediately or, worse, exploiting it themselves.
Facebook may have its own security team, but sometimes it takes an outsider’s view to spot any loopholes. Facebook Chief Security Officer Joe Sullivan said they realize that there are “many talented and well-intentioned security experts around the world who don’t work for Facebook”. By implementing the bug bounty program, they’re tapping into the brains of some of the world’s best – for a price, that’s true, but it’s a price well-paid.
“The program has also been great because it has made our site more secure – by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code”, said Sullivan.
Facebook’s bounties range from a minimum of $500 to a maximum of $5,000 depending on the severity of the bug. Researchers from more than 16 countries have contributed to the effort and there are already 48 names in Facebook’s public ‘Thank you” list, people who have earned the company’s gratitude for “making a responsible disclosure” to the company. One researcher has made quite a profit from the program, earning $7,000 by reporting six serious bugs. Sullivan has also mentioned that the maximum bounty has already been paid once – implying there was a very serious loophole in the system once but thanks to the Bug Bounty Program, it has already been plugged up.
All in all, the program has been a pretty big success. It’s a bit ironic, considering that Facebook is basically paying people to try hacking into their system just to get some details on how it’s done. Facebook has even promised that there will be no legal retribution even if the security researchers report a loophole which they found through not-so-legal means. Still, other big companies such as Microsoft, Google, and Mozilla have implemented similar programs, and it has been proven to be quite effective. All this is being done in the name of security, after all, and $40,000 is a small price to pay for the prevention of any serious hacking incident.
What Sullivan is worried about, though, is the idea that there are some “criminally-minded bug spotters” who might get more for their findings if they sell it to the underground market instead of going directly to Facebook. Hopefully, the thought of being completely at peace with the law will tide most bug bounty hunters over more than the promise of a few extra thousands.