Indian bounty hunters found the largest number of bugs on Facebook, taking home an average reward of over $1,300. According to data released by Facebook,  Indian participants in the bug bounty program found 136 valid bugs on Facebook.

The USA reported 92 issues and averaged $2,272 in rewards. Brazil and the UK were third and fourth by volume, with 53 bugs and 40 bugs, respectively, and average rewards of $3,792 and $2,950.

Facebook has now included companies like Instagram, Parse, Atlas, and Onavo into the bug bounty program.


Here are some of the other highlights from Facebook security engineer Collin Greene

  • Facebook received 14,763 submissions in 2013, a 246% increase from 2012.
  • Of these, 687 were valid and eligible to receive rewards.
  • 6% of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, Facebook’s median response time for these high-severity issues was about 6 hours.
  • Facebook has paid over $2M since they got started in 2011. In 2013, they paid out $1.5M to 330 researchers.
  • The average reward in 2013 was $2,204.

Big Bugs

XML External Entities Attack: Facebook awarded $33,500 to Reginaldo Silva for discovering an XML external entities attack capable of reading files from a Facebook web server to an internal service that could run code. More here.

ActionScript Filtering Bypass: Facebook learned from a report that using jar:javascript:alert(1) inside a .swf file could bypass allowscript=never and execute JavaScript on Firefox.

UI Confusion Bug: Facebook awarded a bounty after learning that the UI logic on its Page administrator tool could have caused someone attempting to decline an admin confirmation request to inadvertently add that person as an admin.

Add comment