Here at F8, Facebook’s outgoing chief security officer, Alex Stamos, is giving a talk on how the company does security. One part of the recipe is offering cash payments to people who identify bugs, which expedites discovery and increases the chances that those who discover vulnerabilities will help Facebook patch them before they get abused by bad guys.
Over the past six years, Stamos said, Facebook has paid out $6 million to bug hunters, $30,000 being an example of a typical payment. More than that, the company sometimes hires the people who discovered bugs, giving it access to a proven talent pool outside the Silicon Valley software-engineering bubble.