"The average reward in 2013 was $2,204, and most bugs were discovered in non-core properties, such as websites operated by companies we've acquired," shared Collin Greene, Security Engineer at Facebook.
"6% of eligible bugs were categorized as high severity. From reading the first submission to implementing an initial fix, our median response time for these high-severity issues was about 6 hours," he added.
Submissions from Indian researchers were most numerous (136) in 2013, followed by those from US, Brazil and UK researchers (92, 53 and 40 bugs found respectively). But Russian researchers have, as a group, earned the most from their submissions - an average of $3,961 for 38 bugs.
Brazilian researcher Reginaldo Silva got the biggest award to date - $33,500 - for discovering a remote code execution flaw affecting Facebook's servers.
"Security is about more than just code, and it's important to remember that security bugs can arise from circumstances that aren't highly technical or complex," Greene pointed out. "For example, we awarded a bounty after learning that the UI logic on our Page administrator tool could have caused someone attempting to decline an admin confirmation request to inadvertently add that person as an admin. We fixed the interface to make the intent clearer."
Greene ended with several announcements about changes to the bug bounty program. Instagram, Parse, Atlas, and Onavo are now also fair game, but text injection reports will no longer be rewarded.
Bounties for high-impact issues will increase as time passes. "In general, the best targets for high-impact issues as a security researcher are facebook.com itself, the Facebook or Instagram mobile apps, or HHVM," he concluded.