Social network site Facebook has paid out $40,000 to people that have reported security bugs in its service, just one month after launching its Bug Bounty Program.
Writing on the site’s blog, Facebook’s chief security officer Joe Sullivan said the program has so far been, "valuable beyond our expectations," as it has revealed "novel attack vectors." These discoveries have made the site more secure, Sullivan said.
Facebook launched the initiative last month, promising to pay a minimum of $500 for bug reports. The company has paid out one bounty totalling $5,000 for a single report, which Sullivan described as "really good."
Another user reported six different vulnerabilities on the site and received more than $7,000.
Sullivan added that opening up bug testing in this way has helped Facebook find more issues than it would have been able to do in-house. "We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security," Sullivan said.
"The program has also been great because it has made our site more secure–by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code," he added.
However it is unlikely Facebook will roll the service out to Facebook Platform to check third-party websites and applications for vulnerabilities.
"Unfortunately, that’s just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform. We have a dedicated Platform Operations team that scrutinises these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications," he said.
"At the end of the day, we feel great knowing that we’ve launched another strong effort to help provide a secure experience on Facebook. A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment," Sullivan concluded.
