Facebook parent company Meta on Thursday announced that it has paid out over $16 million in bug bounties since 2011, with $2 million awarded in 2022 alone.
To date, the company has received more than 170,000 vulnerability reports from security researchers, but only 8,500 of them were awarded a bounty, the company says. Researchers in 45 countries were rewarded for finding security defects in Facebook and other services and products.
In 2022, the social media giant received roughly 10,000 vulnerability reports and issued bounties on more than 750 of them.
“We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards,” the company announced.
Meta also revealed updated payout guidelines for VR technology, now covering Meta Quest Pro devices. At the BountyCon conference, a researcher was paid $44,250 for a Meta Quest 2 OAuth issue leading to a two-click account takeover.
Additionally, the company updated its payout guidelines regarding mobile remote code execution (RCE) vulnerabilities and published new payout guidelines for vulnerabilities leading to account takeover (ATO) and two-factor authentication (2FA) bypass.
Researchers submitting vulnerability reports in line with these new guidelines may earn as much as $130,000 for ATO bugs and up to $300,000 for mobile RCE issues. Reports, however, are evaluated on a case-by-case basis and could earn higher-than-the-cap rewards, depending on impact, Meta says.
The highest reward earned for an ATO and 2FA bypass chain was awarded to security researcher Yaala Abdellah for a vulnerability identified in Facebook’s phone number-based account recovery flow that was then chained with a separate 2FA bug. The researcher received a total of $187,700 in rewards.
Another 2FA bypass that Facebook found worth mentioning earned Gtm Manoz of Nepal a $27,200 bounty. The vulnerability is described as a rate-limiting issue that could have allowed an attacker to brute force the verification PIN for phone number confirmation, thus bypassing SMS-based 2FA.
Related: Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks
Related: Facebook Will Reward Researchers for Reporting Scraping Bugs
Related: Facebook Announces Payout Guidelines for Bug Bounty Program