Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Meta Paid Out $16 Million in Bug Bounties Since 2011

Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.

Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.

To date, the company has received more than 170,000 vulnerability reports from security researchers, but only 8,500 of them were awarded a bounty, the company says. Researchers in 45 countries were rewarded for finding security defects in Facebook and other services and products.

In 2022, the social media giant received roughly 10,000 vulnerability reports and issued bounties on more than 750 of them.

“We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards,” the company announced.

Meta also revealed updated payout guidelines for VR technology, now covering Meta Quest Pro devices. At the BountyCon conference, a researcher was paid $44,250 for a Meta Quest 2 OAuth issue leading to a two-click account takeover.

Additionally, the company updated its payout guidelines regarding mobile remote code execution (RCE) vulnerabilities and published new payout guidelines for vulnerabilities leading to account takeover (ATO) and two-factor authentication (2FA) bypass.

Researchers submitting vulnerability reports in line with these new guidelines may earn as much as $130,000 for ATO bugs and up to $300,000 for mobile RCE issues. Reports, however, are evaluated on a case-by-case basis and could earn higher-than-the-cap rewards, depending on impact, Meta says.

The highest reward earned for an ATO and 2FA bypass chain was awarded to security researcher Yaala Abdellah for a vulnerability identified in Facebook’s phone number-based account recovery flow that was then chained with a separate 2FA bug. The researcher received a total of $187,700 in rewards.

Advertisement. Scroll to continue reading.

Another 2FA bypass that Facebook found worth mentioning earned Gtm Manoz of Nepal a $27,200 bounty. The vulnerability is described as a rate-limiting issue that could have allowed an attacker to brute force the verification PIN for phone number confirmation, thus bypassing SMS-based 2FA.

Related: Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks

Related: Facebook Will Reward Researchers for Reporting Scraping Bugs

Related: Facebook Announces Payout Guidelines for Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.