Celebrating 15 years of Meta's Bug Bounty Program
November 26, 2025
By Meta Bug Bounty
- We awarded over $4 million in bug bounties this year, bringing our program's total bounty awards to more than $25 million since its creation.
- We’re piloting a specialized research track for experienced researchers and academics focused on platform abuse who will receive engineering support and tooling to help us lower the entry barrier to our Bug Bounty program.
- We’re highlighting several notable finds this year, including a scaled WhatsApp enumeration study, an incomplete validation bug in WhatsApp, and an arbitrary code execution issue in Oculus.
As our Bug Bounty program nears its 15th anniversary, we wanted to recognize the impact the researcher community has had in helping Meta protect people across our apps this year and to share a few updates.
Over the past 15 years, we’ve awarded over $25 million to more than 1,400 researchers from 88 countries for helping us detect and fix issues faster, including testing products and features before they roll out to our users. A number of our bug bounty researchers have since joined our security and engineering teams to continue this work protecting people online.
Evolving Our Bug Bounty Program
Over the years, we’ve added new private and public tracks to our Bug Bounty program to encourage research in particular areas – from misuse of Facebook data by developers to bugs in third-party apps, scraping and more. While some of these specialized tracks have merged into our overall bug bounty program over time, others we have sunsetted after they helped us minimize entire classes of bugs. Such a close collaboration with our research community has allowed us to keep evolving our program, and today, we’re sharing a number of exciting updates.
Expanding specialized research pilot: Earlier this year, we launched a pilot to help accelerate collaboration in particular areas with researchers with proven credentials. We’re now expanding it to incentivize research beyond traditional security vulnerabilities. As part of this pilot, we’re inviting research teams to focus on abuse issues with dedicated internal engineering support and tooling. Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our program. We’ll share progress updates and learnings as we expand the pilot.
Dedicated research tooling: We know that WhatsApp clients and server infrastructure are high targets but they are also among some of the hardest surfaces to find bugs in. We heard our Bug Bounty researchers’ feedback that making it easier to research WhatsApp-specific technologies would go a long way. To do so, we’ve built WhatsApp Research Proxy – a tool that makes research into WhatsApp's network protocol more effective. To start, we have made WhatsApp Research Proxy available to some of our long-time bug bounty researchers to help us improve the tool. We’ll be inviting more researchers to test it with a goal to release the tool publicly in the future.
Bug Highlights
In 2025, we’ve received around 13,000 submissions in total, issuing over $4 million in bounties for almost 800 valid reports. Here are some of the greatest finds this year.
Advancing anti-scraping protections: Academic researchers at the University of Vienna reported a novel method to enumerate WhatsApp accounts at scale. In their study, they generated a list of possible phone numbers using open source tooling, checked if they are registered on WhatsApp, and then compiled basic publicly accessible information in a manner that exceeded our intended limits. The research only collated public information – no messages, contacts or other non-public data was accessible to researchers. We collaborated to test and confirm the efficacy of our new mitigations, including those that had been already in the works prior to receiving this study. The university researchers confirmed that they securely deleted the data compiled during their study and we have not found evidence of adversaries abusing this vector.
Patching an incomplete validation bug: While testing the WhatsApp Research Proxy tool, our internal bug bounty analyst found an incomplete validation issue affecting rich response messages in WhatsApp prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83. It could have allowed a user to trigger processing of content from an arbitrary URL on another user’s device. We fixed this limited-impact bug and have not seen evidence of exploitation.
Fixing an arbitrary code execution issue: At our annual Bug Bounty Researcher Conference, security researcher RyotaK won the "Most Impact Award" after reporting multiple bugs including an issue that could have allowed malicious applications installed on Quest devices to manipulate Unity applications to execute arbitrary code. After triaging, we found that the underlying vulnerability lay within Unity’s third-party code itself and connected the researcher with the developer so they could share their findings. Unity fixed the issue impacting games and applications built on Unity 2017.1 and later. In addition, we also released an OS-level patch to further mitigate the risk on the Quest devices that have any Unity application installed with default configurations. We haven’t found evidence of abuse and Unity confirmed no exploitation or impact on its users and customers.
***
We thank our Bug Bounty community for your partnership this year and we welcome your feedback to help us keep our program as productive as possible.