Facebook handed out $ 1.67 million in bug bounty rewards last year

Facebook has paid out $ 2 million in rewards to hackers who found security holes in the past year. In 2020 the company received 17,000 reports. A reward was paid out for 1000 of them.

That’s what Facebook says now that the bugbounty program has been around for almost ten years. The company opened a responsible disclosure program in 2011 where hackers could report vulnerabilities. More than 50,000 researchers have joined the program since its inception. Over the decade, 130,000 bugbounty disclosures have been made, of which 6900 have been rewarded. They went to 1,500 researchers. Most of the bugs delivered this year came from researchers from India, Tunisia and the United States.

In the past year, 17,000 reports were made, of which 1000 were rewarded. They were worth a total of 1.98 million dollars or 1.67 million euros. One of them was a bug in the Content Delivery Network. Hacker Selamet Hariyanto found an exploit in which expired URLs could still be retrieved. Although the vulnerability itself had a low impact according to the bugbounty program, Facebook’s own researchers later discovered a way to exploit that exploit for remote code execution. Hence, the hacker got paid as if it were a high impact bug. He received $ 80,000 in reward, which is the highest amount paid out to date, according to Facebook.

Another bug came from a researcher at Google’s Project Zero. She discovered a leak in the Messages app for Android where an attacker could listen to Messenger’s audio. The researcher received a reward of $ 60,000 for this.