POSTED ON TO Security

Charting the future of our bug bounty program

Meta's bug bounty program: Two men inspect code, looking for potential bugs
By
  • We’re tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets. To the best of our knowledge, this is an industry first. 
  • Looking toward the future, we’re also launching new educational opportunities for researchers and hosting our first BountyConEDU — a three-day conference for university students across Europe interested in learning more about the industry.
  • Since launching our bug bounty program in 2011, we’ve received more than 150K reports, of which over 7,800 were awarded a bounty.

Over the past 10 years, our bug bounty program has grown from only working with Facebook’s website to covering all of our web and mobile clients across all of our apps, including Instagram, WhatsApp, Quest, Workplace, and more. As we build for the future, we’re expanding the program to help combat the industry-wide issue of scraping and providing more opportunities for researchers.

Here are a few highlights from the past decade:

  • Since 2011, we’ve paid out more than $14 million in bug bounties and received more than 150K reports, of which over 7,800 were awarded a bounty.
  • We’ve paid out more than $250,000 in Hacker Plus bonuses since that program’s launch in 2020.
  • So far this year, we’ve awarded over $2.3 million to researchers from more than 46 countries.
  • This year alone, we’ve received around 25,000 reports in total and issued bounties on over 800 reports.
  • Since 2011, we’ve received the most valid reports from India, the United States, and Nepal.

From the beginning, we knew that our program needed to remain agile so that we could pivot in response to emerging risk areas. For example, to help crack down on instances of platform abuse after Cambridge Analytica, we launched the industry’s first Data Abuse Bounty program, which rewards researchers who report misuse of Facebook data by app developers. After a 2018 attack that targeted access tokens, we launched the industry’s first bug bounty for third-party apps and websites to reward researchers who find vulnerabilities that involve abuse of Facebook user data.

As we look toward the future of our program, we’re focused on expanding it to address new risk areas and launching new initiatives to recruit and retain researchers.

New expansions to cover scraping

As scraping continues to be an internet-wide challenge, we’re excited to open up two new areas of research for our bug bounty community. While we are only one piece of the larger puzzle when it comes to combating scraping efforts, we believe that the bug bounty community is an important element of our own work.

Starting as a private bounty track for our Gold+ HackerPlus researchers, our bug bounty program will now reward reports about scraping bugs. The goal of this program is to find bugs that attackers utilize to bypass scraping limitations to access data at greater scale than the product intended. Our goal is to quickly identify and counter scenarios that might make scraping less costly to execute. To our knowledge, this is the industry’s first bug bounty program for scraping.

In addition, we are expanding our data bounty program to reward reports of unprotected or openly public data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address, religious, or political affiliation. The reported data set must be unique and not previously known or reported to Meta. If the report is valid, we will make efforts with the relevant entity to remove the data set or consider legal means to address the issue. We will reward valid reports of scraped data sets in the form of charity donations to nonprofits of our researchers’ choosing, to ensure that we are not incentivizing scraping activity. See more details on this expansion.

Recruiting and retaining researchers

Our program wouldn’t be successful without the external researcher community. We know that bug bounty researchers are in high demand, and want to make sure that our program remains rewarding. However, we also know that bug hunting can be a transient career path, with researchers sometimes transitioning in and out of programs. For this reason, we also want to help cultivate a more sustained interest among new and existing researchers.

Educational opportunities

Some of our longtime researchers have told us that they are interested in more educational opportunities to expand the surfaces and products they can hunt on — especially as certain bug areas are notoriously difficult to transition between, for example from software to hardware bug hunting.

We’ve designed our annual conference, BountyCon, to include sessions run by our top researchers. In these sessions, they discuss practical techniques and approaches for discovering and reporting critical vulnerabilities across surfaces for other researchers to learn from. Next year, and pending travel restrictions, the conference will take place in May in Singapore and will be co-hosted with Google. 

We noticed at BountyCon that when researchers worked together to submit bugs, they not only found higher-impact bugs but also learned from one another about their different focus areas. To support this kind of teamwork and learning, this year we released a collaboration feature for researchers who want to submit joint reports to our program.

Later this year, we will also launch a dedicated education center to help quickly onboard bug bounty researchers onto different products and technologies so that they can cut down the time it takes to hunt new areas for bugs.

Supporting the next generation of bug hunters

In addition to engaging the researchers that currently participate in our program, it’s also important that we help usher in future generations of bug hunters. In February, we’ll host our first BountyConEDU, a conference in Madrid for university students from all over Europe. This three-day conference will allow them to learn more about bug bounties and how to hunt for bugs, as well as to form teams to test Meta products for valid vulnerabilities. We’re excited to take our lessons from this event to find ways we can create similar learning opportunities around the world.

We want to thank our bug bounty community for their great research and everyone who contributed to the growth of our program. As always, we appreciate feedback on how we can make our collaboration even more effective. We look forward to our continued work together to keep our platform secure!

Read More in Security

View All

Stay Connected

Open Source

Meta believes in building community through open source technology. Explore our latest projects in Artificial Intelligence, Data Infrastructure, Development Tools, Front End, Languages, Platforms, Security, Virtual Reality, and more.

  • android
    ANDROID
  • ios
    iOS
  • web
    WEB
  • backend
    BACKEND
  • hardware
    HARDWARE

To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy