Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.
Access tokens allow users to log into third-party applications and websites through Facebook. The tokens are unique for each user and each app, and users can choose what information can be accessed by the token and the app using it, as well as what actions it can take. The problem is that if a token is exposed, it can be misused to an extent that depends on the permissions set by its owner.
Facebook has updated its bug bounty program to clarify what it expects from reports describing token-related vulnerabilities.
In order to qualify for a bug bounty – Facebook is offering a minimum of $500 per vulnerability – researchers have to submit a clear proof-of-concept (PoC) demonstrating a flaw that allows access to or misuse of tokens.
One very important condition, according to the company, is that the bug needs to be discovered by passively viewing data sent to or from a device while the affected application is in use.
“You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope,” explained Dan Gurfinkel, Security Engineering Manager at Facebook.
The social media giant will inform the developer of the impacted app or website and work with them to address the issue. Apps that fail to promptly comply will be suspended from the platform until the problem has been resolved and a security review is conducted. Facebook says it will also automatically revoke tokens that may have been compromised.
Facebook has taken significant steps to improve security and privacy following the Cambridge Analytica scandal, in which the personal details of a significant number of users were harvested. The company announced in March that it had made a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access user data. It later announced rewards for users who report misuse of private information.
According to Facebook, in 2017 it paid out $880,000 in bug bounties, with a total of over $6.3 million since the launch of its program in 2011.
Related: Facebook Increases Bug Bounty Payout After Audit
Related: Facebook Flaw Exposed Page Administrators

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
