Social networking giant Facebook has paid $1.5 million USD to security researchers worldwide last year as part of their Bounty Program. According to a latest report published by Facebook Russia security researchers earned the highest amount per report in 2013, receiving an average of $3,961 for 38 bugs. India contributed the largest number of valid bugs at 136, with an average reward of $1,353. The US reported 92 issues and averaged $2,272 in rewards. Brazil found 53 bugs and were rewarded $3,792 on an average and the UK were fourth by volume, with 40 bugs, respectively, and average rewards of $2,950.
According to Facebook every 15,000 bug submissions they received were scrutinized individually by the firms security professionals. The company also notes that most of submissions end up not being valid issues, but it is assumed that they are until Facebook’s security engineer has fully evaluated the report.
Some of the notable reports in which Facebook rewarded the highest amount ($33,500) was XML External Entities Attack discovered by Reginaldo Silva, wherein an XML external entity was capable of reading files from a Facebook web server to an internal service hence could run code. Other bugs were “ActionScript Filtering Bypass” and UI Confusion Bug which attracted high rewards from Facebook.
Collin Greene, a security engineer at Facebook, wrote in a blog post that, “The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs” .”To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”