Facebook has operated a bug bounty program in which external security researchers help improve the security and privacy of the social network’s products and systems since 2011 and so far this year, the company has paid out over $1.98m to researchers from more than 50 countries.
Since its inception, more than 50,000 researchers have joined the program and around 1,500 researchers from 107 countries have been awarded a bounty. However, many of the researchers have since joined Facebook’s security and engineering teams to continue protecting the company’s platform.
While the bug bounty program initially covered just Facebook’s web page, in the years since the program has grown to cover all of its web and mobile clients across Instagram, WhatsApp, Oculus, Workplace and more.
The social media giant recently launched its own Bug Description Language tool that allows researchers to quickly build a test environment to show how a bug can be reproduced. Facebook also launched its own rewards program called Hacker Plus to add bonuses, badges, exclusive invites to bug bounty events and early access to its upcoming products and features.
Facebook bug bounty
In this year alone, Facebook has received around 17,000 reports from security researchers and issued bounties on over 1,000 of these reports. Earlier this year, the company received two notable reports with one coming from a researcher who recently joined its bug bounty program and another from one of the researchers at Google’s Project Zero security team.
The first report covered a low impact Content Delivery Network (CDN) bug where a subset of the company’s CDN URLs could have been accessible after they were set to expire. However, after patching the bug, Facebook’s internal researchers discovered a rare scenario where a sophisticated hacker could have escalated to remote code execution. The company then rewarded the researcher its highest bounty yet at $80,000 based on the maximum possible impact of their report.
The second report came from Project Zero’s Natalie Silvanovich who discovered a bug that could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to another logged in user on Messenger’s Android client as well as to another Messenger client such as a web browser. After fixing the issue, the researcher was rewarded Facebook’s third highest bug bounty at $60,000.
As Facebook’s bug bounty program approaches its 10 year anniversary, the company remains committed to rewarding security researchers who help the company further secure its products and systems.