It’s kind of ingenius, if you ask me. Ask the IT community, a
people who would rather find fault with something than breathe, to isolate
flaws in your system. And then pay them for the info!

The good thing is that Google and Facebook are asking people
to report only security flaws – if they opened the door to typos or design,
they’d be bankrupt tomorrow. I’m not saying that those sites are typo-filled; I’m
saying that there are people out there who could make a decent living harping
on minutiae.

Facebook recently announced that it has paid out over $1
million to 329 security researchers as part of its bounty program in only two
years; Google says it passed the $2 million mark in three years. Both companies
are extremely pleased with the results.

Google is so pleased with the results so far that it’s
raising reward levels for its Chromium program. That is, bugs that were previously
rewarded at the $1,000 level will now be considered for reward at up to $5,000—that’s
quite an increase.

Here’s some information for the Google Bug Bounty program:

Guidelines to follow when reporting bugs

Reward Nomination Process

The general criteria Facebook uses to gauge the amount of
reward for its program is broken into four factors:

Impact: Would
this bug allow someone to access private Facebook data? Delete Facebook data?
Modify an account? Can you run JavaScript under These are
high-impact vulnerabilities, and this is the most important attribute. Ease of
exploitation plays into impact as well as ultimately Facebook pays bounties to
protect its users, so the more users it could affect and the more damage it
could do, the higher the impact.

Quality of
: Can you provide detailed, easy-to-follow instructions on how
to reproduce the issue? Do you have a proof of concept, or screenshots?
Cooperation and good communication as Facebook works to evaluate a submission
is crucial. Facebook does not reward anyone for speaking English or for writing
long reports.

Target:, Instagram, HHVM, and Facebook’s mobile applications are
considered high-value targets, and typically earn more significant bounties
than bugs in code not written by Facebook or bugs that are unrelated to user

Secondary Damage:
Bugs that lead Facebook to more bugs get bigger payouts. In these cases, the
initial bug is much more valuable because the subsequent investigation and
fixing of the original bug leads us to additional issues that the company can

Looks like a good way to earn a little extra cash!