Three weeks after launching a bug bounty program that pays Web hackers cash for finding flaws with its website, Facebook said it has paid out more than $40,000 in rewards.
Facebook called the program a success Monday, saying it has mobilized security researchers around the world to help make Facebook.com more secure. “We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security,” the company said in a Facebook post about the program.
In recent years, technology companies have started paying hackers to encourage them to quietly report any bugs they find rather than simply dumping them out in public where they could be misused by criminals. Google and Mozilla, for example, operate similar bug bounty programs.
Facebook pays $500 per bug but will shell out more money for exceptional issues.
For example, one hacker was paid out $5,000 for “one really good report,” Facebook said. The company said that it has also paid out $7,000 to a researcher who flagged six different issues.
“On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity,” Facebook said.
Although Facebook spoke in glowing terms about its bug bounty program, it will not extend it to cover the hundreds of thousands of Facebook applications written by third parties. “Unfortunately, that’s just not practical,” the company said.