Facebook says that its bug bounty program ‘has proven valuable beyond our expectations' as it has awarded more than $40,000 (£24,500) in its first month.
A month after introducing a bug bounty program, Facebook's chief security officer Joe Sullivan said in a blog post that the bug bounty program is an effort to recognise and reward individuals for detection and reporting of vulnerabilities.
He said: “It has been fascinating to watch the roll-out of this program from inside Facebook. First, it has been amazing to see how independent security talent around the world has mobilised to help.
“We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, who are passionate about internet security.
“The program has also been great because it has made our site more secure by surfacing issues large and small, introducing us to novel attack vectors and helping us improve lots of corners in our code.”
Sullivan said that the program has already paid out more than $40,000 in only three weeks, with one person receiving more than $7,000 (£4,000) for six different issues. “It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring,” he said.
Sullivan also commented on claims that a maximum bounty payment would be $500 (£306), saying ‘that is the minimum amount we will pay'. He said: “In fact, we've already paid a $5,000 (£3,000) bounty for one really good report. On the other end of the spectrum, we've had to deal with bogus reports from people who were just looking for publicity.”
He also said that there had been requests that the program be extended to the Facebook Platform, to include third party applications and websites. “Unfortunately, that's just not practical because of the hundreds of thousands of independent internet services implicated, but we do care deeply about security on the platform,” he said.
“We have a dedicated Platform Operations team that scrutinises these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications. People on our site agree that our protections, coupled with common sense, provide a rigorous level of security.”