Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks

Facebook parent company Meta today announced that its bug bounty program will cover vulnerabilities that can be exploited to bypass integrity safeguards.

Facebook parent company Meta today announced that its bug bounty program will cover vulnerabilities that can be exploited to bypass integrity safeguards.

The program expansion, the company says, is meant to steer researchers’ attention to security issues that attackers may exploit to bypass specific integrity checks meant to limit abuse behaviors.

Such checks include mandatory two-factor authentication for specific business manager accounts, Facebook’s own application verification process, or feature restriction enforcements.

For example, Meta is willing to pay researchers for reports regarding issues that may allow the bypass of the quarantine state a business is automatically placed in when they violate Facebook policies; or bugs leading to tampering with restrictions enforced on other businesses or with their appeals to restrictions.

Researchers who identify endpoints that may perform sensitive actions without triggering a Business Manager two-factor authentication (2FA) prompt may receive up to $2,000 for their reports.

Meta also says it is willing to pay good money for vulnerabilities identified in its ads payment infrastructure.

Thus, researchers may be handed out rewards of up to $20,000 for issues allowing them to “create an arbitrary amount of prepaid balance without using a valid payment method,” or up to $15,000 for bugs that allow them to “remove an arbitrary outstanding balance without a valid payment,” the company says.

[ READ: Facebook Will Reward Researchers for Reporting Scraping Bugs ]

Flaws that allow researchers to tamper with metrics in Facebook Audience Network will also be rewarded. The highest bounty payout – of $10,000 – will go to reports demonstrating the “ability to take credit for the attribution of an install through an advertisement” without user interaction.

Meta will pay up to $20,000 to researchers demonstrating a method of generating ad revenue via fake impressions (without use of external botnets, scripts, social engineering, or fake accounts).

Scenarios that impact the integrity of ads displayed within the Facebook audience network are also within scope of the bug bounty program. New attack vectors that are also highly scalable and exploitable may be awarded bug bounty rewards of up to $10,000.

Meta also expanded the bug bounty program to include vulnerabilities in its application review process and issues that allow tampering with an app’s identity after the review process has been completed.

Furthermore, the social media platform will reward issues that allow applications to continue accessing user information after a grace period of 90 days has passed since the individual last used the application, as well as bugs that allow applications to bypass rate limits Facebook has imposed on API calls.

Meta also announced bug bounty rewards for vulnerabilities that bypass penalties – such as user account suspensions or disables – that have been enforced for policy violations. Issues allowing for the bypass or modification of a user’s appeals to these enforcements are also within the scope of the bug bounty program.

Related: Facebook Battles Cyber Campaigns Targeting Ukraine

Related: Hackers Got User Data From Meta With Forged Request

Related: Meta Sues Two Nigerians Who Lured Facebook Users to Phishing Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.