As services like Twitter provide critical infrastructure for people seeking to communicate and share ideas, maintaining security and uptime is essential. To increase their success in these areas, some companies have initiated bug bounty programs to solicit help from the public. Twitter, for example, has found its bug bounty program to be “an invaluable resource for finding and fixing security vulnerabilities.”
The company announced today that in the past two years, it has received 5,171 bug submissions from 1,662 researchers and paid a total of $322,420 in rewards. From this total payout, the average amount paid was $835 and the highest was $12,040. To honor its history, Twitter pays in multiples of 140, with a minimum payment of $140. Notably, last year, a single researcher received more than $54,000 in rewards for reporting vulnerabilities.
Started in 2014, Twitter enlisted the help of HackerOne to manage its bug bounty program. The company looks for any possible vulnerabilities related to remote code execution, authentication issues, cross site scripting, cross site request forgery, and more. And these security measure are not just for Twitter’s core service, but also for Vine, Periscope, Fabric, MoPub, ZeroPush, and its mobile apps.
Twitter’s bug bounty program certainly isn’t unique, as other companies, like Facebook and Google, have similar programs in place. In January, Google revealed that it had paid security researchers over $6 million in the past six years — in 2015, more than 300 different researchers received over $2 million after finding 750 bugs.
Facebook shared that it has paid out more than $3 million since starting its bug bounty program in 2011, with $1.3 million given out in 2014 to just 321 researchers worldwide. The average amount received was $1,788.
The sizable difference in payouts among these three companies is likely because Facebook and Google are more diverse in their services and have hundreds of millions more users than Twitter, which means that there’s a greater chance of having a vulnerability exposed.