Facebook today said it has paid Rs 4.84 crore to researchers in India as part of its bug bounty programme, the most paid till date by the world’s largest social networking platform.
India, which has over 142 million Facebook users, also holds top rank among 127 countries in terms of researchers contributing to its bug bounty programme, it said in a blog.
“India is home to the largest population of security researchers (205) participating in the Facebook bug bounty programme since its inception in 2011. The country also holds the top spot for most bounties paid (Rs 48.4 million),” Adam Ruddermann, a technical program manager on the Facebook Bug Bounty team, wrote.
A bug is an error or defect in software or hardware that causes a programme to malfunction. It often occurs due to conflicts in software when applications try to run in tandem.
While bugs can cause software to crash or produce unexpected results, certain defects can be used to gain unauthorised access to systems.
Since its launch in 2011, Facebook’s bug bounty programme has received over 2,400 valid submissions and has awarded more than USD 4.3 million to 800-plus researchers globally.
Under the programme, researchers get rewarded for reporting security bugs, identifying vulnerabilities in Facebook’s services or infrastructure that can create security or privacy risks.
In 2015, Facebook’s team classified 102 bug bounty submissions as high impact, an increase of 38 per cent over the previous year.
It received 13,233 total submissions from 5,543 researchers in 127 countries and paid USD 936,000 to 210 researchers, who submitted a total of 526 valid reports.
The average payout was USD 1,780. India, Egypt, and Trinidad and Tobago received the highest number of payouts.
“Facebook receives more and more high-impact bugs (related reports) from India each year, reflecting the growing sophistication and technical capabilities of the country’s engineering schools and cybersecurity programmes,” he said.
Explaining how Facebook calculated the risk and bounties paid to researchers, Ruddermann said the company looks at the potential impact of a bug, what could possibly go wrong, and who would be affected.
“The primary goal of our programme is to protect the people who use Facebook, so bugs that impact end users are the most important to us. We also consider the difficulty of exploiting the vulnerability and what kind of resources or technical skills a successful attack would require,” he added.
The amount paid in bounties is generally consistent but can change as the risk landscape evolves, he said.
“We also reserve the option to award researchers more than the base amount if the report itself exhibits a high level of clarity, sophistication, and detail,” Ruddermann said.