Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


As services like Twitter provide critical infrastructure for people seeking to communicate and share ideas, maintaining security and uptime is essential. To increase their success in these areas, some companies have initiated bug bounty programs to solicit help from the public. Twitter, for example, has found its bug bounty program to be “an invaluable resource for finding and fixing security vulnerabilities.”

The company announced today that in the past two years, it has received 5,171 bug submissions from 1,662 researchers and paid a total of $322,420 in rewards. From this total payout, the average amount paid was $835 and the highest was $12,040. To honor its history, Twitter pays in multiples of 140, with a minimum payment of $140. Notably, last year, a single researcher received more than $54,000 in rewards for reporting vulnerabilities.

Started in 2014, Twitter enlisted the help of HackerOne to manage its bug bounty program. The company looks for any possible vulnerabilities related to remote code execution, authentication issues, cross site scripting, cross site request forgery, and more. And these security measure are not just for Twitter’s core service, but also for Vine, Periscope, Fabric, MoPub, ZeroPush, and its mobile apps.

Chart displaying the trend of bug bounty submissions and payouts by Twitter from 2014-2015.

Above: Chart displaying the trend of bug bounty submissions and payouts by Twitter from 2014-2015.

Image Credit: Twitter

Twitter’s bug bounty program certainly isn’t unique, as other companies, like Facebook and Google, have similar programs in place. In January, Google revealed that it had paid security researchers over $6 million in the past six years — in 2015, more than 300 different researchers received over $2 million after finding 750 bugs.

Facebook shared that it has paid out more than $3 million since starting its bug bounty program in 2011, with $1.3 million given out in 2014 to just 321 researchers worldwide. The average amount received was $1,788.

The sizable difference in payouts among these three companies is likely because Facebook and Google are more diverse in their services and have hundreds of millions more users than Twitter, which means that there’s a greater chance of having a vulnerability exposed.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member