When it comes to bug bounties, Facebook lags behind the likes of Microsoft and Google in terms of overall payment and amount of suggestions received: Last year, Microsoft and Google paid out $13.6 million and $6.7 million, respectively; Meanwhile Facebook paid out just $1.98 million as of November.
But Facebook, on the other hand, is a young company and is working on improving its system to keep it on the radar of bounty hunters. In the latest development, Facebook said today it will add a new set of bonus rewards when it pays on a report if more than 30 days have passed since Facebook first received it.
The payout time bonus, as Facebook is calling it, will operate on a sliding scale, where payments made between 30-59 days will receive a 5% bonus; Payments made between 60-89 days will get a bonus of 7.5%; and 10% bonus on payment made after 90 days or more. Facebook doesn’t specify what the principal amount is, but in its final round of bounties, the highest payouts per bug were between $80,000 and $60,000, with payouts of some $40,000 in its current bonus program.
The extra money will serve as a kind of incentive for the bounty hunters who earn a living from these tips, so that when Facebook delays paying for legitimate tips, bug hunters find that they get a more lucrative reward for their work. Will get the end – rather than stop working on facebook-property bugs entirely.
Bug hunting has become a big business for security researchers, with some earning upwards of $1 million annually from the programs. But bounty hunting is a double-edged sword: it certainly focuses top minds on specific platforms, but in doing so, they spend more time looking for vulnerabilities in some places than in others. It leads the biggest platforms to make sure they’re making their bug-ridden environment more of a slog, or to have people as “attractive” as others to contribute to their work.