How To Make $5 Million Hacking Facebook And Google

By Davey Winder, Contributor

What if I were to tell you that there's big money to be made from hacking Facebook and Google, but not necessarily in the way you might imagine? So far this year, Google hackers have earned more than $3.5 million doing just that. As for Facebook, it made payments of just under $2 million last year.

Yes, I'm talking about security vulnerabilities and the money available for those who can find them.

Bug bounty platforms are the legal route to a profitable hacking career. Both Facebook and Google have recently announced changes to their respective programs and, in so doing, revealed the rewards on offer.

Hacking is not a crime

As regular readers and video viewers will know, #STC is a big fan of the Hacking is NOT a Crime movement. The reality is that cybercrime is a crime, and conflating hackers with cybercriminals is both confusing and potentially damaging.

Without hackers, the world would be a much less secure place. Therefore, it's only proper that hackers who find security holes in products and services should be financially rewarded for their right side of the law efforts. Some bug bounty hunters have even become millionaires.

Hacking is not a crime and hackers are not cybercriminals Hacking is NOT a Crime

Google pays hackers millions of dollars a year

The payments made under the Google vulnerability rewards program (VRP) have varied across the years. Still, they total more than $29 million paid to 2,022 hackers in 84 countries since it launched a decade ago. The biggest single bounty paid to date was in 2019, when one enterprising hacker was awarded $161,000 for discovering an Android security flaw. So far this year, Google has paid out a total of $3,770,000 which is down from the 2020 total of $6,512,000.

What hasn't changed is that Android remains front and center when it comes to bounty payments, with $1,651,000 paid so far in 2021, compared to $1,397,000 for Chrome vulnerabilities. In addition, reporting vulnerabilities across different Google domains such as Chrome, Android, Play and Google itself involved separate vulnerability disclosure systems. That somewhat confusing state of affairs has now gone with the launch of a consolidated Google Bug Hunters platform. Google said this brings those previously scattered platforms into a single format where bugs are easier to submit.

Facebook offers bonuses and shared bounties to hackers

Facebook has also recently updated its vulnerability reporting program. One of the innovations is the payment time bonus which will Facebook said, "incentivize researchers to provide all information needed for a successful reproduction as quickly as possible." In addition to the actual bounty paid, Facebook will add a bonus of between 5% and 10% if it takes more than 30 days to issue payment after information allowing a successful replication of the issue is submitted.

Facebook now also supports the sharing of bounty payments between multiple hackers on one submission. This is to encourage continued collaboration where the most complex of vulnerabilities is concerned.

When it comes to monies paid, during 2020, Facebook said it paid more than $1.98 million across vulnerability reports exceeding 1,000 in total. Among the most significant single payments were $80,000 for a content delivery network vulnerability and $60,000 in respect of a Messenger for Android security flaw.


What is inkl?

Important stories

See news based on value, not advertising potential. Get the latest news from around the world.

Trusted newsrooms

We bring you reliable news from the world’s most experienced journalists in the most trusted newsrooms.

Ad-free reading

Read without interruptions, distractions or intrusions of privacy.