In the first half of 2016 alone, Facebook’s bug bounty program received 9,000 reports of different bugs in its platform and subsequently paid out $611,741 to program participants.
Wednesday marked the fifth anniversary of the tech giant’s bug bounty program, which rewards freelance hackers and other security researchers for finding software flaws in the social network.
“Launching and running a program of this size for five years is not easy — and we couldn’t have done it without the support of the broader security research community,” Joey Tyson of Facebook’s bug bounty staff wrote in a statement, “we discovered many of the people now on our team through the community of researchers submitting reports.”
Facebook’s bug bounty program was among the first to be instituted in Silicon Valley, with subsequent programs later launched by Twitter, Apple and Amazon. While some bug bounty programs are structured and organized internally, as Facebook has done, others rely on private firms like HackerOne and BugCrowd to recruit white hat hackers, organize their efforts and monitor the boundaries.
In total, dating back to 2011, Facebook has paid out more than $5 million to roughly 900 researchers, the social network announced Wednesday.
Looking forward, Tyson described that Facebook will look to improve its bug bounty program by, among other things, sharing the “thinking behind each award” and providing “educational resources on security fundamentals and topics specific to [Facebook] products.”
Bug bounty programs have become popular in recent years due to the low cost, high impact solution they offer, enabling companies and government agencies to find, fix and mitigate the risks associated with faulty code in a way that is effective more affordable than if someone were buy individual exploits from a vendor. For example, a pilot program used by the Pentagon and conducted by HackerOne attracted 1,400 hackers, found 138 vulnerabilities and yet only cost $150,000.