

Facebook Offers $500 Bounty for Reporting Bugs: Why So Cheap? - bootload
http://www.pcmag.com/article2/0,2817,2389460,00.asp

======
simonsarris
Not for reporting bugs. For reporting security bugs.

Google also doesn't offer such bounties when merely reporting bugs. I report
all kinds of Canvas issues to Chromium. Half of them aren't even acknowledged,
even if they get fixed months later.

Google only gives bounties on security bugs, and as far as I know only
significant ones (though we'll see, because I just reported an incredibly
minor security bug to Chromium - getImageData in Canary is capable of getting
image data from outside the Canvas, which is against spec and a security flaw)

~~~
lawnchair_larry
Actually they give bounties on minor security bugs as well - the award depends
on severity. A bug like you describe will most certainly get something (if
Canary is an eligible target).

------
trotsky
The total amount of these bounties are more or less meaningless. No one can
make a living, 1st world wage with them - at least not consistently. All of
the programs will pay you significantly less than what you'd get paid for an
equivalent number of hours at a straight job.

What's more, most bugs will sell for 10x the bounty price on the black market.

Bug bounties aren't intended to be competitive compensation. They are intended
to be tokens of appreciation given to people who would be reporting the bugs
anyway. In this context, $500 vs. $1000 (a more typical reward from the chrome
program) isn't too meaningful.

Whether this works for the researcher or not is up to them.

~~~
nbpoole
+1

At best, a bounty program gives me the incentive to look more closely at a
particular website / application. But I've submitted plenty of vulnerability
reports to companies that don't have bounty programs.

What this bounty really means: if you like finding and responsibly reporting
security vulnerabilities, you now have one more reason to spend time doing so
on Facebook.

------
nbpoole
Why so cheap? Because $500 is the base, not the maximum. $500 is the base
reward for Google and Mozilla's web bounty programs as well. Another similar
bounty program, from CCBill, lists a _maximum_ payout of $500 (although I can
confirm that they can and will issue higher rewards under certain
circumstances: <https://twitter.com/#!/williamlbell/status/97379423816384512>)

[Note: I've participated in the bounty programs for Google, Mozilla, and
CCBill. I've submitted security vulnerabilities to Facebook as well prior to
this bounty program]

------
lawnchair_larry
Article is incorrect about Microsoft. They still offer $0. The 250k is a
bounty on turning in criminal botnet owners.

------
ZoFreX
"But a security researcher cited in ComputerWorld says reporting Facebook bugs
can help budding security researchers make a name for themselves in the tight-
knit security community."

"I can't pay you to make my website, but you can use it in your portfolio!"
springs to mind

------
biot
I found a bug on pcmag.com -- how much is their bounty?

------
hugh3
Hey, at least they're way ahead of Donald Knuth.

~~~
res0nat0r
Personally I'd rather have a check signed by Donald Knuth than a $500 bounty.

~~~
jacques_chester
Which suggests a scheme where Knuth could be paid a one time fee of (say)
$50k, then be asked to issue 0.02c cheques for each bug found.

