Facebook has paid security researchers US$5million in five years, after they found vulnerabilities in its platforms and quietly disclosed them under its bug bounty program.

The Social Network™ runs a well oiled bounty program and pays generously when it receives notice of flaws and working proof-of-concepts, provided they are not already public or used in attacks against users.

Security engineer Joey Tyson says the money went to about 900 researchers with an average payout of US$5,556.

Payments from the social networking and advertising kingpin from January to June this year alone have tipped US$611,741 made to 149 researchers for an average payout of US$4106.

Most bug bounty researchers are based in India, followed by the United States and Mexico.

"Launching and running a program of this size for five years is not easy, and we couldn't have done it without the support of the broader security research community," Tyson says.

"Five years of experience has helped us refine and strengthen many aspects of our program, and we heard from researchers that they appreciate our rewards, triaging, and quick fixes."

Facebook pats itself on the back, saying its long-running bug bounty has helped to make such programs popular. The company says it will continue to hone its service to appease researchers.

Part of that effort includes more detailed information about the reasoning for payments based on real risk, and the inclusion of more products and services such as WhatsApp.

Facebook also implemented automated payments and allowed bounties to be paid in Bitcoin.

One of its higher payments went to Bangalore-based hacker Anand Prakash who scored US$15,000 for reporting in March a global account hijacking hole. ®