The Hacker News Logo
Subscribe to Newsletter

Ever Wondered How Facebook Decides — How much Bounty Should be Paid?

facebook-bug-bounty
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.

Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.

Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.
"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.
If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.

Do you ever wondered why? And How Facebook decides the Bounty amount?

Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.

Recently, Facebook’s bug bounty team explained how they calculate bounties.

How Facebook Calculates Bug Bounties?


Facebook calculates bounties, of course, based on Risk to end-users.

Also Read: Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise

The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.
"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."
Here’s the Procedure Facebook Security team follows:

Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.

Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.

Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.

Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.

Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.

The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.

The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.


Example — Bug Bounties Paid by Facebook

facebook-bug
Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.

Have you ever wish to delete any photo from Facebook that you didn't like but posted by someone else? Believe me — It was possible, but until last year, when two independent India security researchers reported two separate vulnerabilities to Facebook and awarded $12,500 each.

Do you know what’s the highest bug bounty ever paid by Facebook? That’s $33,500 to a Brazilian hacker who managed to hack into the Facebook server using a remote-code execution vulnerability.

There was another interesting bug in Facebook that received the highest attention, but no bounty was paid.

Yes, I am talking about Palestinian Hacker, 'Khalil Shreateh', who posted vulnerability details on Facebook CEO Mark Zuckerberg’s wall to prove his point, after Facebook Security Team failed to recognize his critical vulnerability thrice.

Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.

Do you want to know how to earn high bounties? Find and Report high-severity bugs.
"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."
Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.

Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.

So Keep Hunting, Keep Earning!

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.