Bug Bounty programs pay off for Google and Facebook, and IT pros

Google and Facebook find that their Bug Bounty programs are paying off in a big way.

It’s kind of ingenius, if you ask me. Ask the IT community, a people who would rather find fault with something than breathe, to isolate flaws in your system. And then pay them for the info!

The good thing is that Google and Facebook are asking people to report only security flaws – if they opened the door to typos or design, they’d be bankrupt tomorrow. I’m not saying that those sites are typo-filled; I’m saying that there are people out there who could make a decent living harping on minutiae.

Facebook recently announced that it has paid out over $1 million to 329 security researchers as part of its bounty program in only two years; Google says it passed the $2 million mark in three years. Both companies are extremely pleased with the results.

Google is so pleased with the results so far that it’s raising reward levels for its Chromium program. That is, bugs that were previously rewarded at the $1,000 level will now be considered for reward at up to $5,000—that’s quite an increase.

Here’s some information for the Google Bug Bounty program:

·  Guidelines to follow when reporting bugs

·  Reward Nomination Process

The general criteria Facebook uses to gauge the amount of reward for its program is broken into four factors:

Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under facebook.com? These are high-impact vulnerabilities, and this is the most important attribute. Ease of exploitation plays into impact as well as ultimately Facebook pays bounties to protect its users, so the more users it could affect and the more damage it could do, the higher the impact.

Quality of communication: Can you provide detailed, easy-to-follow instructions on how to reproduce the issue? Do you have a proof of concept, or screenshots? Cooperation and good communication as Facebook works to evaluate a submission is crucial. Facebook does not reward anyone for speaking English or for writing long reports.

Target: Facebook.com, Instagram, HHVM, and Facebook’s mobile applications are considered high-value targets, and typically earn more significant bounties than bugs in code not written by Facebook or bugs that are unrelated to user data.

Secondary Damage: Bugs that lead Facebook to more bugs get bigger payouts. In these cases, the initial bug is much more valuable because the subsequent investigation and fixing of the original bug leads us to additional issues that the company can fix.

Looks like a good way to earn a little extra cash!

By Toni Bowers

Toni Bowers is the former Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.