When it comes to bug bounties, Facebook lags behind the likes of Microsoft and Google in terms of overall payouts and volume of tips received: last year, Microsoft and Google respectively paid out $13.6 million and $6.7 million; Facebook meanwhile paid out just $1.98 million as of November.
But on the other hand, Facebook’s a younger company and is working on improving its system to keep it on bounty hunters’ radar. In the latest development, Facebook today said that it would be adding a new set of bonus rewards when it pays out on a report if more than 30 days have passed since Facebook first received it.
The Payout Time Bonus, as Facebook is calling it, will work on a sliding scale, where payouts made between 30-59 days will get a 5% bonus; payouts made between 60-89 days will get a 7.5% bonus, and payouts made after 90 days or more will get a 10% bonus. Facebook doesn’t specify the base amount, but in its last round of bounties, its highest payouts per bug were as much as $80,000 and $60,000, with some $40,000 paid out in its existing bonus program. But payments might be as low as $500.
The extra money will work as a kind of incentive to bounty hunters who make a living from these tips so that when delays happen with Facebook paying out for legitimate tips, the bug hunters know they’ll get a more lucrative reward for their work in the end — rather than get turned off from working on Facebook-property bugs altogether.