When it comes to bug bounties, Facebook lags behind the likes of Microsoft and Google in terms of overall payouts and volume of tips received: last year, Microsoft and Google respectively paid out $13.6 million and $6.7 million; Facebook meanwhile paid out just $1.98 million as of November.
But on the other hand, Facebook’s a younger company and is working on improving its system to keep it on bounty hunters’ radar. In the latest development, Facebook today said that it would be adding a new set of bonus rewards when it pays out on a report if more than 30 days have passed since Facebook first received it.
The Payout Time Bonus, as Facebook is calling it, will work on a sliding scale, where payouts made between 30-59 days will get a 5% bonus; payouts made between 60-89 days will get a 7.5% bonus; and payouts made after 90 days or more will get a 10% bonus. Facebook doesn’t specify what the base amount is, but in its last round of bounties, its highest payouts per bug were as much as $80,000 and $60,000 with some $40,000 paid out in its existing bonus program.
The extra money will work as a kind of incentive to bounty hunters who make a living from these tips, so that when delays happen with Facebook paying out for legitimate tips, the bug hunters know they’ll get a more lucrative reward for their work in the end — rather than get turned off from working on Facebook-property bugs altogether.
Bug hunting has become a big business for security researchers, with some making upwards of $1 million annually from the programs. But bounty hunting is a double-edged sword: it definitely focuses top minds on to specific platforms, but in doing so, they spend more time there than looking for vulnerabilities in some places than others. That leads the biggest platforms to ensure that they are making their bug-ridden environments more, or as, “attractive” as others to get people to contribute to their work.