Article Lead Image

Facebook doled out more than $1 million to hackers who breached its security

Thanks to the bounty program, hackers aren't exploiting weaknesses, they're reporting them.


Kevin Morris


Posted on Aug 3, 2013   Updated on Jun 1, 2021, 10:01 am CDT

Facebook has doled out more than $1 million over the past two years to swashbuckling good-guy hackers who’ve helped identify potentially dangerous bugs and security loopholes. It’s further proof that, when it comes to corporate digital security, the carrot wrapped in cash works a lot better than the stick.

It’s also, probably, a lot cheaper. Each year, for just just $500,000, hundreds of hackers around the world scour Facebook’s servers and public code, prodding for any point of weakness. Hiring each of those hackers on a full time or even part time basis would be orders of magnitude more expensive.

Since the White Hat hacking program was introduced in August, 2011, nearly 330 people have won bounties, which begin at $500 and have no upper limit. Winners are international (the U.S. only accounts for 20 percent of recipients) and occasionally not even out of junior high—the youngest was just 13, according to Facebook security engineer Colin Greene. You can also make a career out of it. According to Greene, a few of the regular bounty hunters have already earned more than $100,000.

We have a feeling one of those is Nir Goldshlager, a hacker and CEO of Israeli Web security firm Break Security. In February, Goldshlager found a bug in Facebook’s OAuth, a service  developers use to ask permission to access your page. If he’d wanted to, he could have used the exploit to take control of anyone’s account on the social network. Instead, he reported it to Facebook, taking home an undisclosed award. In March, he did it again.

You can view the full list of winners here.

H/T PCMag | Illustration by Jason Reed

Share this article
*First Published: Aug 3, 2013, 3:36 pm CDT