As we close out this year, we’re sharing a number of updates on our work to protect people around the world against various threats. As part of this, we’re sharing some updates from our bug bounty program over the past year, a look at how we are working with external researchers to help secure our virtual reality (VR) and mixed reality metaverse technology, and new payout guidelines with bounty amounts as high as $300,000.
We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards.
Here are some highlights from our bug bounty program:
- Since 2011, we have paid out more than $16 million in bug bounties.
- Since 2011, we have received more than 170,000 reports, of which more than 8,500 were awarded a bounty.
- So far in 2022, we have awarded more than $2 million to researchers from more than 45 countries.
- This year, we received around 10,000 reports in total, and issued bounties on more than 750 reports.
- The top three countries based on bounties awarded this year are India, Nepal and Tunisia.
Connecting the Bug Bounty Community With the Metaverse
This year, we prioritized further integrating our bug bounty program into our journey to the metaverse by:
Highlighting the Scope of Our Program: Today, we’re updating our terms to highlight that our latest products, Meta Quest Pro and the Meta Quest Touch Pro controllers, are eligible for the bug bounty program.
Updating Payout Guidelines: We’re adding new payout guidelines for VR technology, including bugs specific to Meta Quest Pro. We’re among the first bug bounty programs to set payout guidelines for VR and mixed reality devices and we will continue to update and adjust as the industry evolves.
Putting Our Technology in the Hands of Researchers: Because the bug bounty space is relatively new for many, we worked this year to make our hardware technology more accessible to the researcher community so they can find and report bugs. For example, we made our VR technology a focus for our annual BountyCon conference, the industry’s only regular conference for bug hunters. One of our highest-rated sessions at this year’s conference was a presentation on how to hunt for bugs across our VR headsets and smart glasses. Following this session, we invited researchers to explore Meta Quest 2 devices and use them during our live hacking event.
One of the bugs we rewarded as part of the conference was submitted by our long-time researcher Youssef Sammouda, who reported an issue in Meta Quest’s oAuth flow that could have led to a 2-click account takeover. We’ve fixed this issue, our investigation has found no evidence of abuse and rewarded this report a total of $44,250, including program bonuses.
New Payout Guidelines
To encourage research into specific areas, we’re releasing updated payout guidelines for mobile remote code execution (RCE) bugs, in addition to brand new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.
These new guidelines range as high as $130,000 for ATO reports and $300,000 for mobile RCE bugs, making our Bug Bounty program one of the highest paying in the industry.
These guidelines are intended to set an average maximum payout for a particular bug category and describe what mitigating factors we consider in determining the bounty to help researchers prioritize their hunting. Ultimately, each report is evaluated on a case-by-case basis and could, in some cases, be awarded higher than the cap depending on the internally assessed impact.
Bug Highlights
The following are some examples of impactful bugs that we awarded under our new guidelines:
Account Takeover and Two-Factor Authentication Bypass Chain: We received a report from a bug bounty researcher who identified a bug in Facebook’s phone number-based account recovery flow that could have allowed an attacker to reset passwords and take over an account if it wasn’t protected by 2FA. We’ve fixed this bug and found no evidence of abuse. We rewarded the researcher our highest bounty at $163,000, which reflects its maximum potential impact and program bonuses. While we were investigating, the researcher was able to build on an earlier find to chain it to a separate 2FA bypass bug. We’ve fixed this issue and rewarded the researcher an additional a bounty of $24,700, including program bonuses. (Updated on December 23, 2024 at 12:00PM PT).
2FA Bypass: We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.
Thank you to the bug bounty community for a great year — we are excited to work together again in 2023.