“India has long topped the list of 127 countries whose researchers contribute to our bug bounty program. It also holds the top position for the country receiving the most bounties paid,” posted Adam Ruddermann, a technical program manager on the Facebook Bug Bounty team.
Since the program’s inception in 2011, India has been home to the largest population of security researchers participating in Facebook’s big bounty program.
Highlights of Facebook’s Big Bounty Program
The bounties are paid based on a bug’s risk and not for its complexity or cleverness.
So how to calculate a risk?
The first step is to look at the impact which the bug can cause and importantly, will it affect the end users. Secondly, the team looks for “resources or technical skills” that the attack would require and also if it already has few existing features which can readily solve the issue.
Also, the team checks that whether the bug actually “violates the intended use of the product” or rather enhances the user experience.
Now based on the risk, the bounties are paid and are also awarded if the report itself exhibits a high level of clarity, sophistication, and detail.
To get the maximum payment, bounties should provide all the information in the initial submission with detailed reproduction steps.
Also, the guidelines clearly states that acquired platforms and products that aren’t part of Facebook are not included in the bug bounty program not eligible for bounties.