Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Meta Paid Out $16 Million in Bug Bounties Since 2011

Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.

Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.

To date, the company has received more than 170,000 vulnerability reports from security researchers, but only 8,500 of them were awarded a bounty, the company says. Researchers in 45 countries were rewarded for finding security defects in Facebook and other services and products.

In 2022, the social media giant received roughly 10,000 vulnerability reports and issued bounties on more than 750 of them.

“We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards,” the company announced.

Meta also revealed updated payout guidelines for VR technology, now covering Meta Quest Pro devices. At the BountyCon conference, a researcher was paid $44,250 for a Meta Quest 2 OAuth issue leading to a two-click account takeover.

Additionally, the company updated its payout guidelines regarding mobile remote code execution (RCE) vulnerabilities and published new payout guidelines for vulnerabilities leading to account takeover (ATO) and two-factor authentication (2FA) bypass.

Researchers submitting vulnerability reports in line with these new guidelines may earn as much as $130,000 for ATO bugs and up to $300,000 for mobile RCE issues. Reports, however, are evaluated on a case-by-case basis and could earn higher-than-the-cap rewards, depending on impact, Meta says.

The highest reward earned for an ATO and 2FA bypass chain was awarded to security researcher Yaala Abdellah for a vulnerability identified in Facebook’s phone number-based account recovery flow that was then chained with a separate 2FA bug. The researcher received a total of $187,700 in rewards.

Advertisement. Scroll to continue reading.

Another 2FA bypass that Facebook found worth mentioning earned Gtm Manoz of Nepal a $27,200 bounty. The vulnerability is described as a rate-limiting issue that could have allowed an attacker to brute force the verification PIN for phone number confirmation, thus bypassing SMS-based 2FA.

Related: Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks

Related: Facebook Will Reward Researchers for Reporting Scraping Bugs

Related: Facebook Announces Payout Guidelines for Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.