Facebook this week announced an expansion to its bug bounty program for third-party apps, as well as a series of bonuses for bugs in native products.
The social platform has been running a bug bounty program for third-party apps and websites since last year, but only included vulnerabilities involving improper exposure of Facebook user data.
Now, the company says it is expanding the scope of this program to include flaws in third-party apps and websites that integrate with Facebook and which are discovered through active pen-testing authorized by the third-party, not only via passive observation.
Researchers who comply with the third-party’s vulnerability disclosure or bug bounty program can submit their findings to Facebook. Proof of authorization granted by the third-party should be included when submitting a report.
“By committing to rewarding valid reports about bugs in third-party apps and websites that impact Facebook data, we hope to encourage the security community to engage with more app developers. We also want to incentivize researchers to focus on apps, websites and bug bounty programs that otherwise may not get as much attention or may not have resources to incentivize the bug bounty community,” Facebook says.
Researchers who hunt for vulnerabilities in Facebook’s native products, such as WhatsApp, Messenger, Oculus, Portal, Proxygen and mvfst may receive additional bonuses for bugs that may lead to remote code execution, privilege escalation, or user data compromise, the social platform also announced.
These reports must include a high-quality proof of concept to be eligible, and the bonus will depend on the completeness of the exploit, impact, and the level of required user interaction.
Facebook says it is willing to pay bonuses of up to $15,000 for proof of concepts with functional exploits, up to $9,000 for proof of concepts that demonstrate instruction pointer control or arbitrary write, up to $5,000 for proof of concepts that demonstrate an arbitrary read, and up to $1,000 for proof of concepts that demonstrate a pointer leak that can be used to bypass ASLR.
Facebook has published additional information on the bonus structure for native bugs, as well as examples of eligible reports, and explains that bugs with limited impact will not be eligible, even if they are accompanied by a high quality proof of concept.
The social platform will still award a bounty based on impact, but not a bonus, if a proof of concept is not provided and the full impact of the identified vulnerability is discovered internally.
“Reports should avoid stack traces without symbols (if symbols are available), low quality proof of concepts (such as a large fuzz file that hasn’t been minimized), or only sending in a crash dump,” Facebook explains.
All reports must comply with Facebook’s Bug Bounty Program Terms and Conditions.
At this year’s Pwn2Own contest in Tokyo, researchers will have the possibility to stress-test the Oculus Quest and Portal devices, as Facebook wants to direct attention to the increasingly popular augmented and virtual reality technology.
Related: Flaw in New Facebook Design Allowed Removal of Profile Photos
Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

More from Ionut Arghire
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
