Exactly a month ago, Facebook launched a scheme that offered payments to bug hunters who reported flaws in the site’s security system.
On Monday, the social networking giant announced that in the space of just three weeks the bug bounty program has paid out over $40,000 to people who’ve helped identify problems, with one particular bug spotter pocketing over $7,000 for reporting six different issues. Another expert picked up $5,000 for a single report.
In a blog post on Monday, Facebook’s chief security officer, Joe Sullivan, wrote about the success of the bug bounty program. “It has been amazing to see how independent security talent around the world has mobilized to help. The program has also been great because it has made our site more secure–by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” he wrote.
Sullivan was also keen to clarify the terms of the program, saying, “Some stories said that the maximum payment would be $500, when in fact that is the minimum amount we will pay. In fact, we’ve already paid a $5,000 bounty for one really good report. On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity.”
Of the independent security experts involved in the bug bounty program, Sullivan said some had requested Facebook extend it to third-party applications and programs. Sullivan says in response: “Unfortunately, that’s just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform.” Indeed, considering the amount of third-party software involved, such a bug-spotting scheme would probably bankrupt the social networking site within days.
He continued: ”We have a dedicated Platform Operations team that scrutinizes these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications.”
It seems Facebook has come up with a great way to tap into the skills of the security research community to help make the site more secure. Sullivan certainly values the contributions from the independent experts, closing his blog post with the words: “Facebook truly does have the world’s best neighborhood watch program, and [the bug bounty] program has proven that yet again for us.”