Facebook Expands, Enhances Bug Bounty Programs

Facebook this week announced an expansion to its bug bounty program for third-party apps, as well as a series of bonuses for bugs in native products.

The social platform has been running a bug bounty program for third-party apps and websites since last year, but only included vulnerabilities involving improper exposure of Facebook user data.

Now, the company says it is expanding the scope of this program to include flaws in third-party apps and websites that integrate with Facebook and which are discovered through active pen-testing authorized by the third-party, not only via passive observation.

Researchers who comply with the third-party’s vulnerability disclosure or bug bounty program can submit their findings to Facebook. Proof of authorization granted by the third-party should be included when submitting a report.

“By committing to rewarding valid reports about bugs in third-party apps and websites that impact Facebook data, we hope to encourage the security community to engage with more app developers. We also want to incentivize researchers to focus on apps, websites and bug bounty programs that otherwise may not get as much attention or may not have resources to incentivize the bug bounty community,” Facebook says.

Researchers who hunt for vulnerabilities in Facebook’s native products, such as WhatsApp, Messenger, Oculus, Portal, Proxygen and mvfst may receive additional bonuses for bugs that may lead to remote code execution, privilege escalation, or user data compromise, the social platform also announced.

These reports must include a high-quality proof of concept to be eligible, and the bonus will depend on the completeness of the exploit, impact, and the level of required user interaction.

Facebook says it is willing to pay bonuses of up to $15,000 for proof of concepts with functional exploits, up to $9,000 for proof of concepts that demonstrate instruction pointer control or arbitrary write, up to $5,000 for proof of concepts that demonstrate an arbitrary read, and up to $1,000 for proof of concepts that demonstrate a pointer leak that can be used to bypass ASLR.

Facebook has published additional information on the bonus structure for native bugs, as well as examples of eligible reports, and explains that bugs with limited impact will not be eligible, even if they are accompanied by a high quality proof of concept.

The social platform will still award a bounty based on impact, but not a bonus, if a proof of concept is not provided and the full impact of the identified vulnerability is discovered internally.

“Reports should avoid stack traces without symbols (if symbols are available), low quality proof of concepts (such as a large fuzz file that hasn’t been minimized), or only sending in a crash dump,” Facebook explains.

All reports must comply with Facebook’s Bug Bounty Program Terms and Conditions.

At this year’s Pwn2Own contest in Tokyo, researchers will have the possibility to stress-test the Oculus Quest and Portal devices, as Facebook wants to direct attention to the increasingly popular augmented and virtual reality technology.

Related: Flaw in New Facebook Design Allowed Removal of Profile Photos

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000