Terms and conditions

We aim to reward those who report a third-party app currently or formerly operating on Facebook or Instagram that has abused user data. Monetary rewards may be made to those whose reports lead to discovery of significant actionable abuse. Whether a specific report merits a reward is entirely at our discretion, based on impact, quality of the report, and other factors. To be eligible for a reward, you must not violate any applicable laws or regulations, including laws and regulations prohibiting unauthorized access to user data. You also must not violate any of Meta Terms and Policies or the terms and policies of any member of the Meta family of companies.

• Adhere to the Requirements for Data Abuse Bounty reports (see below).
• Meet the eligibility requirements described in Data Abuse Bounty program reward eligibility (see below).
• Submit your report via our report form and respond to follow up requests from Meta. Please do not contact Meta employees directly or through other channels about a report unless a Meta employee reaches out to you first.

• We determine reward amounts based on a variety of factors, including the impact and quality of the report. While there is no maximum, high-impact reports have garnered as much as $40,000* for people who bring them to our attention. If we pay a reward, payment will be made after we conclude our investigation into the issue you report.
• We seek to pay similar amounts for similar issues, but reward amounts and qualifying reports may change with time. Past rewards do not necessarily guarantee similar rewards in the future.
• In the event of duplicate reports, we provide a reward to the first person to submit a report that leads to discovery of significant actionable abuse. Meta determines which report qualifies for an award.
• You may donate a reward to a recognized charity (subject to Meta approval), and we will double reward amounts that are donated in this way.
• We reserve the right to publish the results of our investigation.
• All rewards must be permissible under applicable laws, including US trade sanctions and economic restrictions.

Your report must describe:

• The operator of the applicable third-party app, including the name of the app and if known, the relevant appID;
• The actions taken by the app or website that violate policies or terms governing the Facebook or Instagram platforms or are otherwise unlawful;
• The nature and scope of the Facebook or Instagram user data abused;
• Proof of the abuse being reported; and
• Any information you have about the reason or purpose for the third-party app operator’s conduct.

Your report should include all instances of abusive conduct you are aware of that relate to a single third-party app. Do not submit multiple reports related to the same abusive conduct.

• You do not submit any of the misused user data or credentials to Meta with your report, or at any other time unless Meta specifically requests such information, at which point you should carefully follow any instructions Meta provides about what data to submit and how to submit it.
• You give Meta reasonable time to investigate an issue you report before making public any information about the report or sharing such information with others.
• You have specific and direct knowledge regarding the abuse that you are reporting.
• You do not knowingly submit false information through the Data Abuse Bounty program. Meta will take all necessary actions in response to false submissions, including, but not limited to, banning you from Facebook.

Explicitly out of scope scenarios: