Just a month into its cash-for-bugs program, social networking giant Facebook doled out some $40,000 in bounties to researchers from 16 countries, according to a company statement.
Joe Sullivan, Facebook’s Chief Security Officer, authored a column on Facebook’s security page yesterday heralding the success of the new program as an overall security improvement on the world’s largest social network. The bounties include $7,000 to one researcher who disclosed six separate bugs.
Facebook followed the lead of companies like Google, Mozilla and a gaggle of vulnerability detection firms in July: offering cold hard cash for the details of security holes in its Web based social networking service. The company is paying $500 as the minimum bug bounty, with more money coming to more valuable (read: exploitable) vulnerabilities. The company paid out $5,000 to one researcher for a particularly good report. These are drops in the bucket to a company whose eventual IPO, if rumors prove true, may exceed $100 billion.
And, while Facebook has struggled with bogus reports,the company is counting the bounty program as a success.
The bug bounty program took root a more than a year ago when the company formalized a responsible disclosure policy that allowed researchers to report bugs to the company without fear of reprisal.