clock menu more-arrow no yes mobile

Filed under:

Facebook Paid Researchers $1.5 Million to Fix Software Bugs

Bug bounties included $33,350 paid to a Brazilian researcher.


Social networking giant Facebook paid out more than $1.5 million to security researchers who helped it find and fix software bugs and security vulnerabilities in its software code, the company said in a post today.

The company runs a bug bounty program under which security researchers and others can submit vulnerabilities they find. During 2013, Facebook said it received nearly 15,000 submissions, of which 687 were severe enough to warrant payments. The average reward per bug reported was $2,204. Most were found in what Facebook calls “non-core” properties, mainly sites belonging to companies it has acquired.

Most issues reported end up not being considered valid, but each is considered important until it has been reviewed, Collin Greene, a Facebook security engineer, wrote.

Researchers in Russia earned the most, averaging nearly $4,000 per report for 38 bugs. Researchers in India reported the highest number of valid problems, averaging about $1,350. Researchers in the U.S. reported 92 problems that required a fix, averaging about $2,300 each.

The biggest payout of the year — and the largest Facebook has made yet — was for $33,350 to Reginaldo Silva, a researcher in Brazil, for the discovery of a weakness in some of Facebook’s XML code.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.