Facebook Grows Bug-Bounty Payouts in 2014

Facebook paid $1.3 million in awards to security researchers in 2014, and 2015 is likely to be a strong year for the company's bug-bounty program.

Facebook security

Facebook's security got a significant boost in 2014, thanks to the efforts of researchers who reported flaws to the social networking giant.

Facebook reported the highlights of its bug-bounty program in a note posted on Feb. 25, revealing that $1.3 million awards were paid out to 321 researchers around the world in 2014.

A Facebook spokesperson told eWEEK that the single largest payout in 2014 was $30,000, and the top earner collectively earned $86,000 in 2014. While the top single award was $30,000, the average award that Facebook paid was $1,788. Facebook's bug-bounty program awards researchers for responsibly disclosing security vulnerabilities. Facebook first began its bug bounty program in 2011 and has paid out more than $3 million in awards since then.

Last year, Facebook saw an increasing number of bug reports flow into its bug-bounty program. There were 17,011 bugs filed with the program in 2014, a 16 percent year-over-year gain from 2013. Not all the bugs that Facebook receives have the same effect, and the fact that Facebook got 17,011 submissions from security researchers doesn't mean that Facebook has that many vulnerabilities. That said, the number of highly severe bugs that are reported to Facebook is, in fact, increasing.

"Sixty-one of last year's eligible bugs were categorized as high severity, 49 percent more than the previous year," Facebook Security Engineer Colin Green wrote in the Facebook note.

Facebook is also getting security reports from more countries than ever. In total, security researchers from 65 countries were awarded bug bounties in 2014, a 12 percent gain from 2013. Facebook identified India as being home to the largest number of security research submissions. Security researchers from India submitted 196 valid security bugs and were awarded an average of $1,343 per bug. Egypt came in second place with 81 bugs and an average payout of $1,220. Researchers in the United States came in third, with 61 bugs, earning an average of $2,470 per bug.

While 2014 was a solid year for Facebook's bug-bounty program, 2015 is already looking solid.

"Report volume is at its highest levels, and researchers are finding better bugs than ever before," Green wrote. "We've already received more than 100 valid reports since the start of the new year.

Facebook isn't the only organization seeing success with its bug-bounty program. Google's bug-bounty program has been successful, and the company reported earlier this month that it had paid out $1.5 million in awards in 2014.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.