Facebook Paid Out Nearly $2 Million In Bug Bounties This Year

Facebook AH NS 07

Social media giant Facebook has paid out over $1.98 million in bug bounties so far this year. This is the company’s highest yearly bug bounty payout for the third year in a row, and highest to date.

Facebook has had a bug bounty program since 2011. Through this program, the company rewards external security researchers with cash prizes for finding and disclosing vulnerabilities in its platforms. In a 10th Anniversary post highlighting the notable finds of the program over the past ten years, Dan Gurfinkel, Security Engineering Manager at Facebook, said that over 50,000 researchers have joined this program since its inception.

The company has received more than 130,000 bug reports during this period. Over 6,900 of those reports have been awarded a bounty. Overall, Facebook has paid out more than $11.7 million in bug bounties to around 1,500 researchers from 107 countries over the past ten years.


So far, this year, Facebook has received around 17,000 bug reports and has issued bounties on over 1,000 reports. Researchers from more than 50 countries have been awarded through this program in 2020. India, Tunisia, and the US are the top three countries based on bounties awarded this year.

Facebook says it is committed to bringing innovative ways to direct and incentivize security research. It has recently launched its own Bug Description Language. This tool helps researchers quickly build a test environment to show how the company’s internal researchers can reproduce the bug.

A Hacker Plus program now offers bonuses, badges, early access to new products and features, exclusive invites to bug bounty events, and more to researchers. Additionally, Facebook is also creating opportunities for developers to collaborate at its live hacking events as well as BountyCon, a dedicated conference for researchers in the company’s bug bounty program.


Facebook highlights key findings of its bug bounty program

Facebook is among the handful of tech giants that have come under strict regulatory scrutiny for their privacy, security, and misinformation-related failures in recent years. The Menlo Park, California-based social media conglomerate is facing antitrust investigations in several parts of the world.

However, much of this has to do with how the company handles user data and posts on its platforms. The security and privacy of Facebook’s products and systems, in general, haven’t been an issue. And a lot of credit goes to its bug bounty program. The program has consistently helped the company improve the security and privacy of its products, including Instagram, WhatsApp, Messenger, Oculus, Workplace, and more, over the years.

Earlier this year, Facebook’s internal researchers discovered a major flaw with the platform’s Content Delivery Network (CDN) URLs following a report from a researcher named Selamet Hariyanto. Although the report highlighted a “low impact issue,” the fact that the company went on to discover a significant flaw related to the same report means it rewarded the researcher based on the maximum possible impact of their report. The bounty amount of $80,000 is the highest Facebook has paid for a bug report to date.


Facebook this year also fixed a bug in Messenger that could have allowed an attacker to call you and receive audio from your end immediately. They’d get audio feedback as soon as the device starts ringing, and until you answer or the call times out. Natalie Silvanovich of Google Project Zero reported this bug. Facebook paid a $60,000 bounty for this report. This report is also among the company’s three highest bug bounties.