Facebook has spent nearly $1 million bonus for security researchers who found bugs in the products of the company.
Facebook is a social network too familiar and common to all of us, billions of people use it every day. And of course, related to the Internet, security has always been one of the key issues and priorities of users, Facebook is no exception.
Facebook has announced that it paid $ 936,000 amount to 210 security researchers in the past 2015. This is the amount that Facebook rewards security researchers for discovering vulnerabilities, bugs in the product and reporting to the company. Up to this point, Facebook has spent about $ 4.3 million prize money to 800 researchers in exchange for 2,400 security reports from them. Facebook introduced this program from August 2011.
Total expenditure for security researchers in 2015 is lower than in previous years. Specifically, in 2014, Facebook paid 321 security researchers $ 1.3 million and $ 1.5 million to 330 researchers in 2013. In 2013 and 2014, Facebook received 14,763 to 17.011 reports from security researchers. In 2015, this figure dropped to 13,233 reports from 5,543 researchers in 127 countries. The average amount of a payment Facebook pay for security researchers in 2015 is 1,780 USD, slightly down from 1,788 USD in 2014.
Facebook said that in 2015, there were 102 error reports classified, causing high impacts on the company’s products, increased 38 percent compared to 2014. The company said that the quality of the reports in 2015 was also better than other years.
In 2015, Facebook spent most for the following bonuses:
- Messenger Web committed an error called missing tools to prevent Cross Site Request Forgery (CSRF) when introducing messenger.com website. Within a few minutes after the launch, Facebook received 15 reports from the security firms to notice of this error. The result was Jack Whitton was the first report and received reward of Facebook.
- Taking advantage of GraphQL search to learn about the hidden data: Philippe Harewood found that search results of GraphQL allowed the query to the hidden data in the system and reported this issue to Facebook.
- The flaw allows to skip CSRF on a large scale, causing the website to loss the ability to prevent CSRF attacks.
Unlike the past two years, this year Facebook has no more new category within awards programs for those who find fault (Oculus and Moves in 2015; Parse, Atlas and Onavo in 2014) so it will not surprise if the bonus Facebook spends in 2016 is lower.
0 Comments