Facebook offers $500 bounty for reporting bugs: why so cheap?

By Sara Yin | Published on 31 Jul 2011
Facebook offers $500 bounty for reporting bugs: why so cheap?

Facebook is offering a $500 reward for reporting bugs on its site, far less than bug bounties offered by companies like Google or Microsoft.

"To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs," Facebook wrote on a page entitled "Security Bug Bounty."

To qualify for the bounty, you must be the first to report the security glitch, and the bug must be native to Facebook (not in, say, Farmville). Furthermore, disclosures must be "responsible" and you need to give Facebook a reasonable amount of time before reporting the bug publicly, as security researchers often do through blog posts to warn its users.


Although $500 is just the base, it pales in comparison to what other companies offer, like Google's $3000 , Mozilla's $3,000, and Microsoft's $250,000 . If you're looking for a real early retirement plan, the Business Software Alliance says tipsters who report their company's illegal use of unlicensed software could reap payouts of up to $1 million.

But a security researcher cited in ComputerWorld says reporting Facebook bugs can help budding security researchers make a name for themselves in the tight-knit security community.

"The dollar amounts may be smaller than other markets for security research, but bounty programs lead to a better relationship with the security community and improve the security of the service much faster than a similar resource spend in a traditional security audit," said HD Moore, chief security officer of Rapid7.

Facebook, like Microsoft and Google, has been known to hire grey hat hackers in the past; most recently it scooped up famed Playstation 3 hacker George "Geohot" Hotz.


Copyright © 2010 Ziff Davis Publishing Holdings Inc.

Source: Facebook Offers $500 Bounty for Reporting Bugs: Why So Cheap?

Sara Yin


DMCA.com Protection Status