Security engineering manager Dan Gurfinkel shared some highlights in a blog post this week:

• Since 2011, Facebook has received more than 130,000 reports, of which over 6,900 were awarded bounties.
• So far, this year, we’ve awarded over $1.98 million to researchers from more than 50 countries.
• Facebook received some 17,000 reports so far in 2020, and it issued bounties on over 1,000 of them.
• For the third year in a row, the company awarded its highest bug bounty payout to date.
• The top three countries based on bounties awarded this year are India, Tunisia and the U.S.

Gurfinkel added that when the program started in 2011, its focus was on the Facebook web page, and it now covers all of the company’s web and mobile clients across its family of applications, including Oculus and Workplace From Facebook.

Its three areas of focus are:

• Innovating ways to direct and incentivize security research into emerging risk areas, such as misuse of Facebook data by app developers or security bugs in third-party apps and websites.
• Building tools for the research community to make it easier and more rewarding to hunt for bugs on Facebook.
• Creating opportunities for collaboration and networking at live hacking events and Facebook’s BountyCon conference.

Gurfinkel wrote, “When we receive a valid report that requires a fix, we look not only at the report as it was submitted, but at the underlying area of code to understand the issue in greater depth. Sometimes this proactive investigation leads us to discover related improvements we can make to better protect people’s security and privacy.”