Facebook Pays $40,000 to Hackers

Three weeks after launching its bug bounty program, Facebook has paid $40,000 to security experts to try and find flaws in its system. Roughly fifty “whitehat” hackers were able to spot problems in the company’s website and have been recognized on Facebook’s security site.

Compensation started at $500 per bug, with no cap on the amount an individual could receive.

To date, one researcher received $7,000 for flagging six particularly sensitive issues, and $5,000 for a bad flaw in the system. The challenge rules required that hackers be the first person to report a specific bug.

“Typically, it’s no longer than a day” to fix a bug, Facebook's Chief Security Officer Joe Sullivan said.

Facebook is not the only company that creates schemes to pay hackers who discover glitches.

Google, Mozilla, Microsoft, HP and many other tech companies also offer money to individuals who find bugs in its software. It is also cost effective for companies to pay freelancers rather than hiring a large staff.

“We realize…that there are many talented and well-intentioned security experts around the world who don’t work for Facebook,” Sullivan wrote on Facebook’s blog Monday.

The company promised hackers legal protection if they broke the law to identify any flaws.

“If you give us a reasonable time to respond to your report before making any information public and make a good-faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” Facebook said in its Responsible Disclosure Policy.

Facebook considered the program a success and has actually hired a few security experts who submitted errors in the past to the company’s security team.

“We established this bug bounty program in an effort to recognize and reward these individuals for their good work and encourage others to join,” he said.

“The program has also been great because it has made our site more secure-- by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” Sullivan said.