Facebook awarded over $1.98 million to researchers from more than 50 countries this year for reporting bugs on its platforms and the biggest bug bounty of $80,000 was given for identifying a low impact issue in its Content Delivery Network (CDN).
The top three countries based on bounties awarded this year are India, Tunisia, and the US, Facebook said in a statement on Thursday.
“Since 2011, we’ve received more than 130,000 reports, of which over 6,900 were awarded a bounty. This year, we received around 17,000 reports in total, and issued bounties on over 1,000 reports,” Facebook informed.
The Facebook bug bounty program helps it detect and fix issues faster. Over the past 10 years, more than 50,000 researchers joined this program and around 1,500 researchers from 107 countries were awarded a bounty.
Security researcher Selamet Hariyanto identified a low impact issue in Facebook CDN, a global network of servers that deliver content to people accessing its platform around the world.
“After fixing this bug, our internal researchers found a rare scenario where a very sophisticated attacker could have escalated to remote code execution,” Facebook said.
This fall, Natalie Silvanovich of Google’s Project Zero reported a bug that could have allowed an attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser).
“After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling. This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact,” the social network said.
Facebook recently launched Bug Description Language, a tool that helps researchers quickly build a test environment to show how it can reproduce the bug.
“We also created Hacker Plus, our own rewards program, to add bonuses, badges, early access to soon-to-be-released products and features, exclusive invites to bug bounty events, and more. Since its launch just last month, we’ve awarded $40,000 in bonuses”.