Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.
To date, the company has received more than 170,000 vulnerability reports from security researchers, but only 8,500 of them were awarded a bounty, the company says. Researchers in 45 countries were rewarded for finding security defects in Facebook and other services and products.
In 2022, the social media giant received roughly 10,000 vulnerability reports and issued bounties on more than 750 of them.
“We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards,” the company announced.
Meta also revealed updated payout guidelines for VR technology, now covering Meta Quest Pro devices. At the BountyCon conference, a researcher was paid $44,250 for a Meta Quest 2 OAuth issue leading to a two-click account takeover.
Additionally, the company updated its payout guidelines regarding mobile remote code execution (RCE) vulnerabilities and published new payout guidelines for vulnerabilities leading to account takeover (ATO) and two-factor authentication (2FA) bypass.
Researchers submitting vulnerability reports in line with these new guidelines may earn as much as $130,000 for ATO bugs and up to $300,000 for mobile RCE issues. Reports, however, are evaluated on a case-by-case basis and could earn higher-than-the-cap rewards, depending on impact, Meta says.
The highest reward earned for an ATO and 2FA bypass chain was awarded to security researcher Yaala Abdellah for a vulnerability identified in Facebook’s phone number-based account recovery flow that was then chained with a separate 2FA bug. The researcher received a total of $187,700 in rewards.
Another 2FA bypass that Facebook found worth mentioning earned Gtm Manoz of Nepal a $27,200 bounty. The vulnerability is described as a rate-limiting issue that could have allowed an attacker to brute force the verification PIN for phone number confirmation, thus bypassing SMS-based 2FA.
Related: Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks
Related: Facebook Will Reward Researchers for Reporting Scraping Bugs
Related: Facebook Announces Payout Guidelines for Bug Bounty Program
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
