Facebook parent Meta will pay up to $300,000 to security researchers who report exploitable remote code execution (RCE) vulnerabilities in the Android and iOS versions of Facebook, Messenger, Instagram, and WhatsApp.
The actual amount will vary depending on the amount of user interaction — measured in “clicks” — to trigger the flaw. To qualify for the maximum payout, a security researcher would need to include working proof-of-concept code for exploiting the flaw in any of the current or previous two versions of Android or a currently supported version of Apple’s iOS.
Updated Payout Guidelines
In addition to the updated guidelines for mobile RCE, Meta this week also released new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.
The maximum payout for a 2FA flaw is $20,000, while that for an ATO vulnerability is $130,000. Here again, the actual payout will depend on the ease with which an attacker can exploit a vulnerability. For instance, a researcher who reports and demonstrates an exploitable zero-click authentication bug can garner the $130,000 payout, while a one-click ATO will fetch a $50,000 reward.
The company also introduced new payout guidelines for bugs reported in its Meta Quest Pro and other virtual reality (VR) technologies, making Meta one of the first companies to set rewards for vulnerabilities in VR and mixed-reality devices.
Meta’s updated payout guidelines for mobile RCE bugs and its new rewards for ATO and authentication bypass flaws are the latest tweaks to the company’s nearly 11-year bug-bounty program. Under it, Meta has so far paid some $16 million to freelance researchers from around the world who have reported bugs in its online platforms.
The latest changes are part of the company’s effort to ensure that the bug bounties Meta offers and the products that are covered under the program remain aligned with evolving threats, says Neta Oren, the security engineer who leads Meta’s bug-bounty initiative.
“Every year, we continue to learn new things about how to best engage with the community and adjust our program to address some of the most impactful areas in evolving spaces,” Oren says. “Our program has grown from just covering Facebook’s Web page in 2011 to now cover all of our Web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace, and more.”
Meta’s bug-bounty program is similar to those of the hundreds of other companies that have implemented crowdsourced vulnerability-hunting programs in recent years. Many security experts consider these programs as a relatively cost-effective way of finding vulnerabilities that internal security teams might have missed. The programs give ethical hackers a structured way to find and report vulnerabilities they might discover on a website or Web application — and receive a reward for their effort.
Many of these programs include Safe Harbor clauses that exempt security researchers working under the bug-bounty program from legal liability for their research. For vendors, the programs offer a way to get top-notch security researchers to essentially conduct penetration tests on their platforms in a relatively cost-effective manner. Importantly, it also gives them a better shot at ensuring that researchers report a vulnerability directly to them rather than disclosing it publicly before a fix is available, or worse, selling it to a gray-market purchaser.
Some, though, have cautioned about such programs collapsing under the volume of bug reports that researchers can submit, especially if the organization’s security team isn’t mature enough or ready enough to respond to them.
Large Volume of Reports
Since Facebook launched its bug-bounty program in 2011, the company has received more than 170,000 reports from bug hunters around the world. The company identified more than 8,500 of those reports to be valid vulnerability disclosures, for which it has paid a total of $16 million in rewards.
So far this year, Meta has received some 10,000 reports from researchers in 45 countries and issued bounties totaling more than $2 million for 750 or so identified vulnerabilities. India, Nepal, and Tunisia topped the list of countries in terms of where bounties were awarded so far this year.
“One benefit of having a 10-plus-year bug-bounty program is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services,” Oren says. “These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn’t necessarily know to look for.”
One example of impactful-but-niche was an account takeover and 2FA bypass chain issue that a long-time security researcher reported this year in Facebook’s phone number-based account recovery flow; the vulnerability could have allowed an attacker to reset passwords and take over accounts unprotected by 2FA. Meta awarded $163,000 for the discovery.