Facebook's "Bug Bounty" programme has paid out $1m in total to users-turned-security-bug-hunters in the past two years, with the youngest recipient being a 13-year-old boy.
The largest single "bounty" has been $20,000, and two recipients have been offered full-time jobs with the Facebook security team.
Further reading Facebook admits breach exposed private data of six million users over last year Facebook CEO Zuckerberg meets with Samsung in attempt to boost mobile sales Meet the downsizers who quit the likes of Google and Facebook for a new life at a start-up
This information comes from Facebook's blog, which calls its two-year scheme "encouraging", saying that putting quality assurance and testing over to incentivised users has had "a significant impact" on the company's ability to keep Facebook secure.
"After all, no matter how much we invest in security - and we invest a lot - we'll never have all the world's smartest people on our team and we'll never be able to think of all the different ways a system as complex as ours might be vulnerable," said Collin Greene, Facebook security engineer.
Facebook bug bounties begin at $500 (£327), with no maximum reward, and Facebook rewards its researchers on four primary factors - "impact, quality of communication, target and secondary damage", states the blog.
With the rule of thumb "bugs that lead us to more bugs get bigger payouts", Facebook prioritises high-impact vulnerabilities that would allow access to private Facebook data, modifying accounts or running JavaScript through the site.