Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.
To date, the company has received more than 170,000 vulnerability reports from security researchers, but only 8,500 of them were awarded a bounty, the company says. Researchers in 45 countries were rewarded for finding security defects in Facebook and other services and products.
In 2022, the social media giant received roughly 10,000 vulnerability reports and issued bounties on more than 750 of them.
“We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards,” the company announced.
Meta also revealed updated payout guidelines for VR technology, now covering Meta Quest Pro devices. At the BountyCon conference, a researcher was paid $44,250 for a Meta Quest 2 OAuth issue leading to a two-click account takeover.
Additionally, the company updated its payout guidelines regarding mobile remote code execution (RCE) vulnerabilities and published new payout guidelines for vulnerabilities leading to account takeover (ATO) and two-factor authentication (2FA) bypass.
Researchers submitting vulnerability reports in line with these new guidelines may earn as much as $130,000 for ATO bugs and up to $300,000 for mobile RCE issues. Reports, however, are evaluated on a case-by-case basis and could earn higher-than-the-cap rewards, depending on impact, Meta says.
The highest reward earned for an ATO and 2FA bypass chain was awarded to security researcher Yaala Abdellah for a vulnerability identified in Facebook’s phone number-based account recovery flow that was then chained with a separate 2FA bug. The researcher received a total of $187,700 in rewards.
Another 2FA bypass that Facebook found worth mentioning earned Gtm Manoz of Nepal a $27,200 bounty. The vulnerability is described as a rate-limiting issue that could have allowed an attacker to brute force the verification PIN for phone number confirmation, thus bypassing SMS-based 2FA.
Related: Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks
Related: Facebook Will Reward Researchers for Reporting Scraping Bugs
Related: Facebook Announces Payout Guidelines for Bug Bounty Program

More from Ionut Arghire
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
