Facebook today announced it paid out $1.3 million to 321 security researchers around the world in 2014 as part of its bug bounty program. The company has now given over $3 million in rewards since launching the program back in August 2011.

Yet 2014’s figure is actually lower than the year before: Facebook paid 330 security researchers $1.5 million in 2013. That said, the company says submissions this year increased by 16 percent to 17,011 (from 2013’s 14,763).

Facebook also says the program is continuing to produce high-quality reports. More specifically, 61 of last year’s eligible bugs were categorized as high severity, or 49 percent more than the previous year.

These severe bugs are worth the effort. While the average reward in 2014 was just $1,788, the smallest single reward was $500 and the largest was $30,000. In fact, the top five earners last year collectively netted $256,750.

Security researchers in 65 countries received rewards last year, up from 58 countries in 2013. That said, 123 countries are reporting bugs — they’re just not all getting bounties.

Here are the top five countries in terms of valid bugs reported to Facebook in 2014:

  1. India: 196 bugs, average reward of $1,343 (India was also first in 2013)
  2. Egypt: 81 bugs, average reward of $1,220
  3. The U.S.: 61 bugs, average reward of $2,470
  4. The U.K.: 28 bugs, the highest amount per report in 2014 with an average of $2,768
  5. The Philippines: 27 bugs, average of $1,093

Also in 2014, Facebook added new properties to the scope of its bug bounty program: Oculus and Moves. The year before, Facebook added Instagram, Parse, Atlas, and Onavo.

Although Facebook technically paid out less in 2014 than in 2013, all other metrics are up. As the company put it: “We’re excited to see what 2015 holds for the bug bounty program. Report volume is at its highest levels, and researchers are finding better bugs than ever before.”

So far this year, Facebook has already received more than 100 valid reports. We can’t help but wonder if one of them is a virtual reality security bug.