Feeds

How much is a security bug report worth to Facebook? About $2,100

Team Zuck paid out $1.5m for 687 reports of vulnerabilities

Beginner's guide to SSL certificates

Facebook wasn't the first to offer security researchers bounties for reporting vulnerabilities – but the social network reports it paid out $1.5m in 2013 for bug reports, and says it is increasing the amount of cash on offer in the coming year.

According to the advertising giant, it received 14,763 reports of suspected flaws last year, an increase of 246 per cent on the 2012 figure. Unfortunately for Facebook's security team there were a lot of false positives in there, and only 687 write-ups turned out to be worth paying for – and, thankfully, roughly six per cent were classified as high-severity issues.

"Most submissions end up not being valid issues, but we assume they are until we've fully evaluated the report. That attitude makes it possible for us to triage high-priority issues quickly and get the right resources allocated immediately," said Collin Greene, a security engineer at Facebook.

"We've managed to take the median fix time for high-severity issues down to just 6 hours, and we're going to continue focusing on efficiency as the program grows. We also use static analysis and other automated tools where applicable to help prevent engineers from repeating mistakes later."

Most of the valid bug reports were filed from India, but they appeared to be of low value – Facebook got 136 flaws from the subcontinent and paid out an average of $1,353 for each. Russians earned the most last year, with 38 submissions earning $3,961 on average.

As for the home-grown talent, US researchers found 92 correct flaws, with an average payday of $2,272 each, while the British contingent sent in 40 valid bugs each worth $2,950 on average. Facebook's highest payout went to Brazilian researcher Reginaldo Silva, who earned $33,500 for finding an XML external entity vulnerability within a PHP page.

It's not just straightforward flaws Facebook is paying for. One researcher found a bad piece of user interface design in its Page administrator tool that could have allowed people to accidentally assign new administrators to a Page instead of blocking them.

Facebook is amending its bounty rules for next year; boosting some payouts and adding Instagram, Parse, Atlas, and Onavo to the program. But it's also removing text-injection flaws from the payout list, arguing that rendering extra text on a page isn't a security issue on its own. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.