Meta
Meta
FacebookInstagramXYouTube
Meta Bug Bounty
Meta Bug Bounty overviewLeaderboardsProgram scopeProgram termsHacker Plus benefitsHacker Plus terms
Program tools
SSRF validatorTest accountsFBDLAccess token debuggerGraph API explorer
Payout guidelines
Payout guidelines overviewMobile remote code executionAccount take-overMeta hardware devicesServer side request forgery (SSRF)Platform privacy assertions2FA bypassContact point deanonymizationPage admin disclosureCross-site leaks
Data Abuse program
Data Abuse program overviewData Abuse termsReport abuseManage reports
Site terms and policies
Privacy policyTermsCookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Legal
* All payout amounts are in USD

©2025 Meta.

OverviewTerms and Conditions

Data Abuse Bounty program

To be eligible for a bounty, you can report a third-party app operator misusing user data. This program is not limited to Bug Bounty researchers, and we welcome all reports of data abuse.

Report data abuse

Note that the situation must involve definitive abuse of user data, not just collection. It must also involve more than 10,000 users and be a case we were not already aware of or actively investigating. Please provide the appID for applicable third-party app when submitting a report.

Program scope examples

Below are some specific examples of in-scope and out-of-scope issues to help guide your research.

Issue Type
Description
Scope
Website or app "misusing" user data collected via Graph API
Including but not limited to buying, selling, disclosing, transferring or using FB or IG user data in any manner prohibited by policies or terms governing Meta or any applicable laws,

e.g. an app uses Facebook Login and suffers a data breach or has a vulnerability exposing user data that the app obtained from Graph API

Average reward for this type of report is $1600
Eligible
Third party SDK abuse
Malicious deep linking (i.e. launching one app from another app and third party stores FB or IG user data without developer or user consent)

e.g. discovering bad actors paying developers to use malicious SDKs in their apps and share user data

Average reward for this type of report is $37,250
Eligible
Access Tokens
Website or app leaking access tokens or misusing access tokens to masquerade as a different website or app

e.g. an app is found to be publicly exposing user access tokens via an open bucket

Average reward for this type of report is $500
Eligible
Malware
Malware software or mass-scale tricking of users to install apps.
Ineligible
Malicious plugins
Website or app installing malicious plugins or running malicious software

e.g. malicious plugins or browser extensions that are designed to compromise the security of our products
Ineligible
Scraping
Collection of FB or IG data via automated means (pure collection without misuse of scraped data)
Ineligible
Software that steals access tokens
Software requires users to input their access token, or steals access tokens when installed.
Ineligible
Hacked accounts
This channel is for reporting data abuse by applications on Facebook or Instagram and we can’t help with account support enquiries.
Ineligible
Other Products
Non-Facebook or Non-Instagram cases (ex: WhatsApp).
Ineligible

FAQs

How does it work?
Here are the stages a submission passes through
  1. Identify: You identify a malicious platform app collecting data and abusing it.
  2. Submit: You submit a potential issue through the Data Abuse Bounty form.
  3. Vet: We vet the submission for a potential investigation.
  4. Investigate: If we believe that your report is credible we will ask for further information and details to launch a deeper investigation.
  5. Enforce: We will choose the appropriate enforcement, which may include shutting down the offending platform app, taking legal action, or an onsite forensic audit of the company selling or buying the data.
  6. Reward: We reward you for helping protect people's information.
What is the goal of this program?
We want to protect our users’ data and ensure their privacy isn’t compromised.
What are you looking for?
Any situation where a third-party app currently or formerly operating on Facebook or Instagram collected data from users and then bought, sold, disclosed, transferred, or used user data in any manner prohibited by policies or terms governing the Facebook or Instagram platforms or any applicable laws.
What do I need to provide?
You must provide information concerning: the identity of the applicable third-party app operator and the app’s name; the actions taken by the operator that violate policies or terms governing Facebook and Instagram or are otherwise illegal; the nature and scope of the Facebook/Instagram user data or credentials abused; proof of such abuse; and any information you have about the reason or purpose for the third-party app operator’s abusive conduct.
Information about the third-party app operator’s reason for the misuse?
This program is complementary to our existing Meta Bug Bounty in that it "follows the data" even if the root cause isn't a security flaw in Facebook code. Bad actors can maliciously collect and abuse Facebook and Instagram user data even when no security vulnerabilities exist. This program is intended to protect against that abuse.
Can I report any third-party app’s misuse of user data?
You must have specific and direct knowledge regarding the Facebook/Instagram abusive conduct that you are reporting.
How much can I expect to make?
We determine reward amounts based on a variety of factors, including the quality and impact of the report you submit. The amount of any reward is entirely up to our discretion. There is no maximum cap on the rewards offered under the program.
When do I get paid?
We reward submissions once we complete an investigation based on your report that leads to discovery of significant actionable abuse.
How long does it take to process submissions?
A data abuse investigation may require an extended period of time, based on the technical, legal, and organizational efforts that may be required, which may vary depending on the country and market at issue. It will not be unusual for an investigation to take several months or longer.
Where will updates be publicized?
Updates about and to the Data Abuse Bounty program will be posted at https://bugbounty.meta.com/data-abuse.
What if I tell you about a case you are already investigating?
As part of our program terms, only the first person to give us information about data abuse that leads to discovery of significant actionable conduct is eligible for a reward.
What if I have more than one issue to report?
Your report should include all instances of data abuse you are aware of that relate to a single third-party app or website. Please submit a separate report for each separate third-party app or website you are reporting on.
(Last updated July 15, 2024)
Skip to main content
Meta
Meta Bug Bounty
Tools
Leaderboard
Learn
Submit a report