Facebook Offers Payout Bonus for Bug Bounty Hunters

Facebook Enhances Bug Bounty Program with Payout Time Bonuses

Compared to industry leaders like Microsoft and Google, Facebook’s bug bounty program has historically offered lower overall payouts and received fewer submissions. Last year, Microsoft distributed $13.6 million and Google $6.7 million, while Facebook’s total reached $1.98 million by November.

Addressing Payout Delays

Recognizing the need for improvement, Facebook is actively working to refine its system and attract more security researchers. A recent update introduces a new Payout Time Bonus for reports where the initial submission date exceeds 30 days.

Bonus Structure Explained

The bonus is structured as a sliding scale:

• Payouts between 30-59 days receive a 5% bonus.
• Payouts between 60-89 days receive a 7.5% bonus.
• Payouts of 90 days or more receive a 10% bonus.

While the base payout amount isn't specified, previous bounties have ranged from $500 to as high as $80,000, with some researchers receiving $60,000 and an additional $40,000 through existing bonus programs.

Incentivizing Continued Participation

This additional compensation aims to incentivize bug bounty hunters, particularly those who rely on these programs as a primary income source. The bonus acknowledges potential delays in Facebook’s payout process for valid reports, encouraging continued engagement with Facebook’s security initiatives.

The Growing Bug Bounty Landscape

Security research and bug hunting have evolved into a substantial industry, with some researchers earning over $1 million annually. However, this focus can be a double-edged sword. While it concentrates skilled individuals on specific platforms, it may divert attention from vulnerabilities in other systems.

Attracting Top Security Talent

Consequently, major platforms are striving to make their environments more appealing to researchers, ensuring they remain competitive in attracting contributions to their security efforts.

Factors Influencing Bounty Amounts

Facebook determines bounty amounts based on several factors, including the impact of the vulnerability, its ease of exploitation, and the quality of the report submitted. The minimum reward offered is $500.

Impact Assessment and Payout Determination

Facebook assesses the maximum potential impact of a reported bug through its own internal investigation, rather than solely relying on the researcher’s initial assessment. This process can sometimes lead to increased bounties, but may also require additional time. The Payout Time Bonus is intended to acknowledge researchers’ patience during this evaluation period.

Transparency and Ongoing Guidelines

Facebook is committed to transparency and has launched a series of payout guidelines to help researchers understand their payout decisions. Three guidelines have been published to date, with more planned for the future.