Social networking giant Facebook paid out more than $1.5 million to security researchers who helped it find and fix software bugs and security vulnerabilities in its software code, the company said in a post today.
The company runs a bug bounty program under which security researchers and others can submit vulnerabilities they find. During 2013, Facebook said it received nearly 15,000 submissions, of which 687 were severe enough to warrant payments. The average reward per bug reported was $2,204. Most were found in what Facebook calls “non-core” properties, mainly sites belonging to companies it has acquired.
Most issues reported end up not being considered valid, but each is considered important until it has been reviewed, Collin Greene, a Facebook security engineer, wrote.
Researchers in Russia earned the most, averaging nearly $4,000 per report for 38 bugs. Researchers in India reported the highest number of valid problems, averaging about $1,350. Researchers in the U.S. reported 92 problems that required a fix, averaging about $2,300 each.
The biggest payout of the year — and the largest Facebook has made yet — was for $33,350 to Reginaldo Silva, a researcher in Brazil, for the discovery of a weakness in some of Facebook’s XML code.