Hackers discover Facebook's biggest holes

JORDAN ROBERTSON
Last updated 14:34 07/04/2014
Facebook
BOUNTY HUNTERS: Facebook paid out US$1.5 million to security researchers last year.

Relevant offers

Russia and Brazil are hacking Facebook, and the social network is paying them to do it.

Facebook paid out US$1.5 million to security researchers worldwide last year as part of its Bug Bounty programme, and the two emerging markets were responsible for reporting some of the most critical threats, according to a report Facebook released this week.

The company rewards disclosures about vulnerabilities, and then uses the information to fortify the world's largest social network against hackers.

Russians submitted 38 bugs that Facebook paid US$3961 for each on average, totalling US$150,518. Brazilians found 53 bugs, worth US$3792 on average. Brazil's total take was US$200,976.

Researchers in India contributed the largest number of bugs, at 136, but earned just US$1353 on average for each of them, amounting to a total of US$184,008. Those in the US earned an average of US$2272 each for 92 bugs, totalling US$209,024.

Facebook ranks the severity of bugs by how much damage they could inflict on individual users and on the network as a whole. The more serious a weakness, the higher the payout. While hackers in Russia and Brazil are finding and disclosing fewer bugs to Facebook than those in India and the US, those bugs tend to present a more serious danger.

Such bug bounty programs are a popular way for technology companies such as Google, Mozilla, Firefox maker Mozilla and Hewlett-Packard to secure their services. These programs can be more effective than hiring security auditors and cheaper than dealing with the consequences from a breach.

Collin Greene, a security engineer at Facebook, wrote in a blog post that the company received nearly 15,000 submissions last year, more than triple the number in 2012. Just 687 of those were deemed as valid, and of those, 6 per cent were classified as high severity. The company took about six hours to push out an initial fix for each vulnerability, according to Greene.

"The volume of high-severity issues is down, and we're hearing from researchers that it's tougher to find good bugs," Greene wrote. "To encourage the best research in the most valuable areas, we're going to continue increasing our reward amounts for high priority issues."

Ad Feedback

Comments

Special offers

Featured Promotions

Sponsored Content

My Career