When it comes to bug bounties, Facebook lags behind the likes of Microsoft and Google in terms of overall payouts and volume of tips received: last year, Microsoft and Google respectively paid out $13.6 million and $6.7 million; Facebook meanwhile paid out just $1.98 million as of November.
But on the other hand, Facebook's a younger company and is working on improving its system to keep it on bounty hunters' radar. In the latest development, Facebook today said that it would be adding a new set of bonus rewards when it pays out on a report if more than 30 days have passed since Facebook first received it.
The Payout Time Bonus, as Facebook is calling it, will work on a sliding scale, where payouts made between 30-59 days will get a 5% bonus; payouts made between 60-89 days will get a 7.5% bonus; and payouts made after 90 days or more will get a 10% bonus. Facebook doesn't specify what the base amount is, but in its last round of bounties, its highest payouts per bug were as much as $80,000 and $60,000 with some $40,000 paid out in its existing bonus program. But payments might be as low as $500.
The extra money will work as a kind of incentive to bounty hunters who make a living from these tips, so that when delays happen with Facebook paying out for legitimate tips, the bug hunters know they'll get a more lucrative reward for their work in the end — rather than get turned off from working on Facebook-property bugs altogether.
Bug hunting has become a big business for security researchers, with some making upwards of $1 million annually from the programs. But bounty hunting is a double-edged sword: it definitely focuses top minds on to specific platforms, but in doing so, they spend more time there than looking for vulnerabilities in some places than others. That leads the biggest platforms to ensure that they are making their bug-ridden environments more, or as, "attractive" as others to get people to contribute to their work.
Facebook says that it determines bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. "If we pay a bounty, the minimum reward is $500," they told me.
"We reward researchers based on the maximum possible impact of their report that we find during our own internal investigation of each bug, rather than based on the impact reported initially by the researcher," they continued. "Sometimes our impact investigations can lead tosignificantly higher bounties for researchers, but they can also sometimes take more time to complete. The Payout Time Bonus is meant to also reward our researchers for their patience during this process.
"Our ongoing payout guideline series, shares more details to help external researchers better understand our payout decisions. We have published three guidelines so far and will publish more in the future."