It's kind of ingenius, if you ask me. Ask the IT community, a people who would rather find fault with something than breathe, to isolate flaws in your system. And then pay them for the info!
The good thing is that Google and Facebook are asking people to report only security flaws – if they opened the door to typos or design, they'd be bankrupt tomorrow. I'm not saying that those sites are typo-filled; I'm saying that there are people out there who could make a decent living harping on minutiae.
Facebook recently announced that it has paid out over $1 million to 329 security researchers as part of its bounty program in only two years; Google says it passed the $2 million mark in three years. Both companies are extremely pleased with the results.
Google is so pleased with the results so far that it's raising reward levels for its Chromium program. That is, bugs that were previously rewarded at the $1,000 level will now be considered for reward at up to $5,000—that's quite an increase.
Here's some information for the Google Bug Bounty program:
The general criteria Facebook uses to gauge the amount of reward for its program is broken into four factors:
Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as Facebook works to evaluate a submission is crucial. Facebook does not reward anyone for speaking English or for writing long reports.
Target: Facebook.com, Instagram, HHVM, and Facebook's mobile applications are considered high-value targets, and typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.
Secondary Damage: Bugs that lead Facebook to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that the company can fix.
Looks like a good way to earn a little extra cash!
Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.