Cashing In on Facebook’s “Bug Bounty” Program

Jan 23, 2014 at 10:38 AM ET

It definitely pays to be nerdy.

Yesterday Brazilian software engineer Reginaldo Silva claimed Facebook’s largest “bug bounty” ever. The Facebook reward program compensates security researchers for finding and reporting vulnerabilities on the company’s servers.

His reward: a cool $33,500.

In a blog post published last night, Silva explained the step-by-step process (i.e. techie porn) in which he uncovered the flaw. After finding one particular faulty line of code, Silva remarks “[b]y then I knew I had found the keys to the kingdom.”

Launched in July 2011, the bug bounty program is basically Facebook’s scheme to crowdsource any code and security flaws that engineers can find on the Facebook platform. The minimum reward is $500, but there is no maximum, meaning that if you find a serious bug that affects thousands, if not millions, of users, you can be set to cash in. According to the most recent Facebook statistics, published in August 2013, the company has paid 329 people from 51 countries totaling more than $1 million in rewards. They’ve even ended up hiring two researchers that reported bugs.

The bug bounty program hasn’t been without some controversy. In August 2013, a Palestinian security researcher, Khalil Shreateh, claimed to have found a bug that enabled him to post messages on a user’s behalf. When Facebook didn’t listen, he hacked Mark Zuckerberg’s account. 

Understandably, the Zuck didn’t like that very much. Facebook’s security team fixed the bug, but refused to pay the bounty.

No worries, though. The hacker community came to Shreateh’s defense, and ended up raising $13,125 for the guy.