Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it’s found and reported by bug hunters. 

Essentially, Facebook is acknowledging that it’s sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community.  

The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. 

The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.

Facebook has always maintained a friendly relationship with the infosec community, and is one of the few companies managing its own bug bounty program. Facebook is known for offering large payouts on a regular basis, and often open-sourcing many security-focused tools.

After the Cambridge Analytica scandal, Facebook intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.

In 2018, Facebook started paying significant bug bounties to researchers who discovered exposures of user data in popular Facebook third-party apps and games. The following year, the social network expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens. Around the same time, Facebook also began offering rewards of up to $40,000 to researchers who found vulnerabilities that could lead to account takeovers.