Russian and Brazilian Hackers Discover Facebook's Biggest Holes

Photographer: Simon Dawson/Bloomberg

Facebook Inc.'s data storage center near the Arctic Circle in Lulea, Sweden on June 12, 2013. Close

Facebook Inc.'s data storage center near the Arctic Circle in Lulea, Sweden on June 12, 2013.

Close
Open
Photographer: Simon Dawson/Bloomberg

Facebook Inc.'s data storage center near the Arctic Circle in Lulea, Sweden on June 12, 2013.

Russia and Brazil are hacking Facebook, and the social network is paying them to do it.

Facebook paid out $1.5 million to computer-security researchers worldwide last year as part of its bug bounty program, and the two emerging markets were responsible for reporting some of the most critical threats, according to a report Facebook released today. The company rewards disclosures about vulnerabilities, and then uses the information to fortify the world's largest social network against hackers.

Russians submitted 38 bugs that Facebook paid $3,961 for each on average, totaling $150,518. Brazilians found 53 bugs, worth $3,792 on average. Brazil's total take was $200,976.

Researchers in India contributed the largest number of bugs, at 136, but earned just $1,353 on average for each of them, amounting to a total of $184,008. Those in the U.S. earned an average of $2,272 each for 92 bugs, totaling $209,024.

Facebook ranks the severity of bugs by how much damage they could inflict on individual users and on the network as a whole. The more serious a weakness, the higher the payout. While hackers in Russia and Brazil are finding and disclosing fewer bugs to Facebook than those in India and the U.S., those bugs tend to present a more serious danger.

Such bug bounty programs are a popular way for technology companies such as Google, Mozilla, Firefox maker Mozilla and Hewlett-Packard to secure their services. These programs can be more effective than hiring security auditors and cheaper than dealing with the consequences from a breach.

Collin Greene, a security engineer at Facebook, wrote in a blog post that the company received nearly 15,000 submissions last year, more than triple the number in 2012. Just 687 of those were deemed as valid, and of those, 6 percent were classified as high severity. The company took about six hours to push out an initial fix for each vulnerability, according to Greene.

"The volume of high-severity issues is down, and we're hearing from researchers that it's tougher to find good bugs," Greene wrote. "To encourage the best research in the most valuable areas, we're going to continue increasing our reward amounts for high priority issues."

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.