We first wrote about Facebook bug bounties a shade under four years ago.
As we pointed out back then, early detractors of Facebook’s bounty programme were quick to call it cheap, because the bottom-level payout was $500, as it still is today.
To be fair to Facebook, that’s the smallest payout you can get.
Apart from zero, of course, if you report a bug that doesn’t count or isn’t new.
Other companies with bug bounties actually have similar minima.
(Yahoo! famously paid out just $12.50 in company store credit to its first bug bounty winner – although the company that found the bug was actually conducting its own research to see how quickly Yahoo! would react, rather than doing it for the payout.)
At the other end of the scale, the limit on Facebook’s maximum payout is pretty generous: there isn’t one.
So you can do quite nicely out of a reponsible vulnerablity report, as Facebook’s recently-released 2014 Bounty Statistics reveal.
The company paid out a total of $1,300,000 in 2014, which is actually slightly down from 2013’s total of $1.5M.
The average payout (we’re assuming this is a mean average) was $1788, meaning that just over 700 people submitted bugs that were new, relevant and responsibly disclosed.
Interestingly, that means most bug submitters came away empty handed, because Facebook reported a grand total of 17,011 reports.
Of course, that’s one of the downsides of a bug bounty programme: the need to sort the 96% of bug chaff from the 4% of exploitable wheat.
For that reason, we recommend taking a careful look at what does and doesn’t count for any bug bounty programme in which you are thinking of participating.
Facebook, for example, has published a handy list of “These Do Not Qualify” examples to help you avoid disappointment.
Notably, Facebook will not pay out on bug reports of security issues in third-party apps:
These apps are not written or managed by Facebook. We cannot authorize security testing against them and we cannot reward you for any findings.
You could earn a lot more than that $1788 average, though.
A good bet for pulling in ten times as much seem to be finding a way to delete other people’s photographs.
As for just how high Facebook’s unbounded-above payouts went in 2014: we don’t know.
But we can guess, because the company did note that the Big Five bug reports pulled in a total of $256,750, for a mean of just over fifty large ones each.
Another thing we don’t know is whether you can qualify for a payout by finding a bug in the “don’t bother to report these bugs” guidelines.
We spotted one, but we’re not ready to risk the embarrassment of being turned down for pedantry by reporting it. (You are welcome to try yourself, but leave a note in the comments if you do, so everyone else knows not to bother.)
Facebook explicitly warns you not to report as a bug the fact that you can enter your password with [Caps Lock] turned on and still get into the site.
That’s not a bug, it says, but a feature “to help overcome [one of the two] most common reasons that authentic logins are rejected.”
(The other reason is wrongly typing in a capital letter at the start of your password, for example because your spelling checker decided you were beginning a sentence.)