As services like Twitter have become critical infrastructure for people to communicate and share ideas, maintaining security and uptime is essential. But these companies can’t do it themselves and some have turned to bug bounty programs to solicit the help from the public. For Twitter, it has found its program to be “an invaluable resource for finding and fixing security vulnerabilities.”
The company announced today that in the past two years, it has not only received 5,171 bug submissions from 1,662 researchers, but also paid a total of $322,420 in rewards. From this payout, the average amount was $835 and the highest was $12,040. In honor of its history, Twitter pays in multiples of 140. It was noted that last year, a single researcher received more than $54,000 in rewards for reporting vulnerabilities.
Started in 2014, Twitter enlisted the help of HackerOne to manage its bug bounty program. The minimum payout is $140 and the company is looking for any possible vulnerabilities relating with remote code execution, authentication issues, cross site scripting, cross site request forgery, and more. And it’s not just with Twitter’s core service, but also with Vine, Periscope, Fabric, MoPub, ZeroPush, and its mobile apps.
Above: Chart displaying the trend of bug bounty submissions and payouts by Twitter from 2014-2015.
Image Credit: Twitter
Twitter’s bug bounty program isn’t unique as other companies like Facebook and Google also offer ways for researchers to inform them of vulnerabilities. However, Twitter’s payout isn’t exactly the most that one can receive. In January, Google revealed that it had paid security researchers over $6 million over the past six years — in 2015, more than 300 different researchers received over $2 million after finding 750 bugs.
Facebook shared that it has paid out more than $3 million since it started its bug bounty program in 2011, with $1.3 million given out in 2014 to just 321 researchers worldwide. The average amount received was $1,788.
While there’s a difference in payouts among these three companies, the likely reason is because Facebook and Google are more diverse in their services and have hundreds of millions of more users than Twitter that there’s a greater chance of having a vulnerability be exposed.