Not every hacker looking to make money must engage in criminal activity.
Facebook (FB) said this week that it has paid over 900 altruistic hackers more than $5 million since the social network debuted its so-called bug bounty program five years ago.
As part of bug bounty programs, companies offer cash and other rewards to security researchers or so-called white hat hackers who break into their computer systems and find security holes. The idea is that such programs help organizations identify security problems and fix them before criminal hackers exploit them.
Get Data Sheet, Fortune’s technology newsletter.
Facebook security engineer Joey Tyson said in a blog post the social network this year added its WhatsApp messaging tool to its list of services that white hat hackers are allowed to crack. Other services include Facebook’s photo sharing service Instagram, its Oculus virtual reality software, and various open-source developer tools that programmers can access for free.
Additionally, Facebook said that it now uses an automated payment process so security researchers can get paid more quickly, and added an option for hackers who want to be paid in the Bitcoin digital currency.
Tyson wrote that Facebook paid nearly $612,000 to 149 researchers in the first half of this year.
“Over the past few months, we’ve sought to better understand what researchers like about our program and where they’d like to see changes,” wrote Tyson. “Five years of experience has helped us refine and strengthen many aspects of our program, and we heard from researchers that they appreciate our rewards, triaging, and quick fixes.”
He wrote that security researchers in India have received the most number of payouts since Facebook initiated its bug bounty program, followed by the U.S. and Mexico.
In July, Twitter said it paid an Indian hacker $10,000 for discovering a hole in its Vine video service that allowed him to access the entire Vine codebase.
For more about cybersecurity, watch:
Additionally, the Pentagon created a bug bounty program in March to entice hackers to break into its computer systems and networks—and of course tell officials about vulnerabilities so they can fix them.