Facebook has paid $5 million to over 900 security researchers in 5 years

With more than a billion people using Facebook each day, the social network and its affiliated properties are prime targets for hackers and are also prone to system vulnerabilities. Try as it might, the company isn’t able to account for every gap, which is why five years ago it implemented a bug bounty program. Since then, Facebook revealed that it has paid out $5 million in rewards to more than 900 security researchers.

“Launching and running a program of this size for five years is not easy — and we couldn’t have done it without the support of the broader security research community,” wrote Joey Tyson, a company security engineer. “In fact, we discovered many of the people now on our team through the community of researchers submitting reports.”

While Facebook declined to state how many bug requests it received over the last five years, it did give a snapshot of activity in the first half of this year. It received more than 9,000 reports, with most of the payouts going to researchers in India, the U.S., and Mexico — in total, $611,741 was given to 149 researchers.

Tyson explained that Facebook is moving forward with improvements in the bug bounty program, including getting a better understanding of what people like about it and areas that should be changed. Some changes made include detailing in award notifications how the specific bounty was determined — it’s still based on real (versus perceived) risk, but additional information is now shared. He also said that the company will provide educational resources “on security fundamentals and topics specific to our products.”

In 2014, Facebook said it had paid out more than $3 million, with $1.3 million given out to 321 researchers. Referring back to the company’s statement, that suggests $2 million has been paid out since. Perhaps this activity is thanks to improvements made to the bug bounty program, including extending the scope to cover WhatsApp, making payments in Bitcoin, and switching to an automated payment system to process rewards faster.

Comparing Facebook’s bug program to those of its peers: Twitter’s version has only been around for two years, with researchers paid more than $300,000. Google’s may be the oldest one in this group, with more than $6 million paid out in the past 6 years. Apple’s is the youngest, as the company only created its bug bounty program this year.