Just three weeks into its newly launched Big Bounty scheme, Facebook has already shelled out £25,000 to independent hackers for spotting flaws in its Web site.
"We hire the best and brightest, and have implemented numerous protocols." "We realize, though, that there are many talented and well-intentioned security experts around the world who don't work for Facebook," Facebook's Chief Security Officer, Joe Sullivan said.
Sullivan also added that more than £4,300 had been paid to one individual who had reported six potential vulnerabilities.
Facebook's Bug Bounty Program has also been well-received by security commentators, who are often critical of the way large companies respond to bug reports.
"We received really positive feedback when we launched our responsible disclosure policy last year, in which we told researchers we would not take adverse actions against them when they followed the policy in reporting bugs," said Sullivan.
"We are one of the first companies to clearly lay out our policy in order to make those who discover vulnerabilities more comfortable in reporting, and we are happy to see that other organizations are adopting a similar stance."
When facebook announced the big bounty scheme three weeks back, it joined Mozilla and Google in rewarding researchers who privately report vulnerabilities that could jeopardize the privacy or security of their users. Till date, Google has paid more than $300,000 for bugs found on its various web properties - and that doesn't include bounties paid for vulnerabilities reported in Google's chrome browsers.
Sullivan also clarified several fine points in its bug bounty program. The minimum amount paid is $500. He didn't say if there was a maximum amount, and he didn't spell out the criteria for determining when one report is better than another.