Facebook paid $40,000 to bug hunters in three weeks

Facebook said today it has paid more than $40,000 to people who have uncovered bugs on its Web site in the first three weeks of its Bug Bounty program.

The company launched its bug bounty program at the end of last month as a way to compensate people who find and report bugs that might otherwise go unfixed or be exploited by malicious hackers. Bug hunters can make upwards of $500 per bug reported.

One bug hunter received more than $7,000 for six different issues reported, and another person was paid $5,000 for "one really good report," Joe Sullivan, Facebook chief security officer, wrote in a blog post. "On the other end of the spectrum, we've had to deal with bogus reports from people who were just looking for publicity."

He did not say how many bugs have been reported.

"We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security," he wrote. "The program has also been great because it has made our site more secure--by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code."

Some people have asked Facebook to extend the bounty program to cover third-party applications and Web sites that are part of the Facebook Platform, he said.

"Unfortunately, that's just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform," the post says. "We have a dedicated Platform Operations team that scrutinizes these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications."