Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Facebook Expands, Enhances Bug Bounty Programs

Facebook this week announced an expansion to its bug bounty program for third-party apps, as well as a series of bonuses for bugs in native products.

The social platform has been running a bug bounty program for third-party apps and websites since last year, but only included vulnerabilities involving improper exposure of Facebook user data.

Facebook this week announced an expansion to its bug bounty program for third-party apps, as well as a series of bonuses for bugs in native products.

The social platform has been running a bug bounty program for third-party apps and websites since last year, but only included vulnerabilities involving improper exposure of Facebook user data.

Now, the company says it is expanding the scope of this program to include flaws in third-party apps and websites that integrate with Facebook and which are discovered through active pen-testing authorized by the third-party, not only via passive observation.

Researchers who comply with the third-party’s vulnerability disclosure or bug bounty program can submit their findings to Facebook. Proof of authorization granted by the third-party should be included when submitting a report.

“By committing to rewarding valid reports about bugs in third-party apps and websites that impact Facebook data, we hope to encourage the security community to engage with more app developers. We also want to incentivize researchers to focus on apps, websites and bug bounty programs that otherwise may not get as much attention or may not have resources to incentivize the bug bounty community,” Facebook says.

Researchers who hunt for vulnerabilities in Facebook’s native products, such as WhatsApp, Messenger, Oculus, Portal, Proxygen and mvfst may receive additional bonuses for bugs that may lead to remote code execution, privilege escalation, or user data compromise, the social platform also announced.

These reports must include a high-quality proof of concept to be eligible, and the bonus will depend on the completeness of the exploit, impact, and the level of required user interaction.

Facebook says it is willing to pay bonuses of up to $15,000 for proof of concepts with functional exploits, up to $9,000 for proof of concepts that demonstrate instruction pointer control or arbitrary write, up to $5,000 for proof of concepts that demonstrate an arbitrary read, and up to $1,000 for proof of concepts that demonstrate a pointer leak that can be used to bypass ASLR.

Advertisement. Scroll to continue reading.

Facebook has published additional information on the bonus structure for native bugs, as well as examples of eligible reports, and explains that bugs with limited impact will not be eligible, even if they are accompanied by a high quality proof of concept.

The social platform will still award a bounty based on impact, but not a bonus, if a proof of concept is not provided and the full impact of the identified vulnerability is discovered internally.

“Reports should avoid stack traces without symbols (if symbols are available), low quality proof of concepts (such as a large fuzz file that hasn’t been minimized), or only sending in a crash dump,” Facebook explains.

All reports must comply with Facebook’s Bug Bounty Program Terms and Conditions.

At this year’s Pwn2Own contest in Tokyo, researchers will have the possibility to stress-test the Oculus Quest and Portal devices, as Facebook wants to direct attention to the increasingly popular augmented and virtual reality technology.

Related: Flaw in New Facebook Design Allowed Removal of Profile Photos

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...