Facebook has added a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it’s found and reported by bug hunters.
The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for successful reproduction of the report and its impact, Facebook said.
The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.
Facebook is admitting that, in some instances, it can be slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community.
Facebook is known for offering large payouts on a regular basis, and often open-sourcing many security-focused tools. After the Cambridge Analytica scandal, Facebook intensified its efforts into improving the security of its main platform and mobile apps but also its adjacent third-party app ecosystem.
In 2018, Facebook started paying significant bug bounties to researchers who discovered exposures of user data in popular Facebook third-party apps and games. The following year, the social network expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens. Around the same time, Facebook also began offering rewards of up to $40,000 to researchers who found vulnerabilities that could lead to account takeovers.
Facebook stepped up its efforts to woo bounty hunters last year with the launch of Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform. Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports.
Microsoft and Google respectively paid out $13.6m and $6.7m for bug bounties and Facebook paid out just $1.98m as of November.
Copyright © 2018 RegTech Analyst
