Celebrating 15 years of Meta's Bug Bounty programme

Recognising our research community's 2025 contributions

26 November 2025

By Meta Bug Bounty

Illustration of a large number fifteen with abstract blue and orange geometric shapes and motion lines, featuring a stylised ladybird to represent Meta's Bug Bounty programme anniversary
KEY TAKEAWAYS:
  • We awarded over USD 4 million in bug bounties this year, bringing our programme's total bounty awards to more than USD 25 million since its creation.
  • We're piloting a specialised research track for experienced researchers and academics focused on platform abuse who will receive engineering support and tooling to help us lower the entry barrier to our Bug Bounty programme.
  • We're highlighting several notable finds this year, including a scaled WhatsApp enumeration study, an incomplete validation bug in WhatsApp and an arbitrary code execution issue in Oculus.

As our Bug Bounty programme nears its 15th anniversary, we wanted to recognise the impact that the researcher community has had in helping Meta protect people across our apps this year and to share a few updates.

Over the past 15 years, we've awarded over USD 25 million to more than 1,400 researchers from 88 countries for helping us detect and fix issues faster, including testing products and features before they're rolled out to our users. A number of our bug bounty researchers have since joined our security and engineering teams to continue this work protecting people online.

Evolving our Bug Bounty programme

Over the years, we've added new private and public tracks to our Bug Bounty programme to encourage research in particular areas – from misuse of Facebook data by developers to bugs in third-party apps, scraping and more. While some of these specialised tracks have merged into our overall bug bounty programme over time, others we have sunsetted after they helped us minimise entire classes of bugs. Such a close collaboration with our research community has allowed us to continue evolving our programme, and today, we're sharing a number of exciting updates.

Expanding specialised research pilot: Earlier this year, we launched a pilot to help accelerate collaboration in particular areas with researchers with proven credentials. We're now expanding it to incentivise research beyond traditional security vulnerabilities. As part of this pilot, we're inviting research teams to focus on abuse issues with dedicated internal engineering support and tooling. Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our programme. We'll share progress updates and learnings as we expand the pilot.

Dedicated research tooling: We know that WhatsApp clients and server infrastructure are high targets, but they are also among some of the hardest surfaces to find bugs in. We heard our Bug Bounty researchers' feedback that making it easier to research WhatsApp-specific technologies would go a long way. To do so, we've built WhatsApp Research Proxy – a tool that makes research into WhatsApp's network protocol more effective. To start, we have made WhatsApp Research Proxy available to some of our long-time bug bounty researchers to help us improve the tool. We'll be inviting more researchers to test it with a goal to release the tool publicly in the future.

Bug highlights

In 2025, we've received around 13,000 submissions in total, issuing over USD 4 million in bounties for almost 800 valid reports. Here are some of the greatest finds this year.

Advancing anti-scraping protections: Academic researchers at the University of Vienna reported a novel method to enumerate WhatsApp accounts at scale. In their study, they generated a list of possible phone numbers using open source tools, checked whether they are registered on WhatsApp and then compiled basic publicly accessible information in a manner that exceeded our intended limits. The research only collated public information – no messages, contacts or other non-public data was accessible to researchers. We collaborated to test and confirm the efficacy of our new mitigations, including those that had been already in the works prior to receiving this study. The university researchers confirmed that they securely deleted the data compiled during their study and we haven't found any evidence of adversaries abusing this vector.

Patching an incomplete validation bug: While testing the WhatsApp Research Proxy tool, our internal bug bounty analyst found an incomplete validation issue affecting rich response messages in WhatsApp prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82 and WhatsApp for Mac v2.25.23.83. It could have allowed a user to trigger processing of content from an arbitrary URL on another user's device. We fixed this limited-impact bug and have not seen evidence of exploitation.

Fixing an arbitrary code execution issue: At our annual Bug Bounty Researcher Conference, security researcher RyotaK won the "Most Impact Award" after reporting multiple bugs including an issue that could have allowed malicious applications installed on Quest devices to manipulate Unity applications to execute arbitrary code. After triaging, we found that the underlying vulnerability lay within Unity's third-party code itself and connected the researcher with the developer so that they could share their findings. Unity fixed the issue affecting games and applications built on Unity 2017.1 and later. In addition, we also released an OS-level patch to further mitigate the risk on the Quest devices that have any Unity application installed with default configurations. We haven't found any evidence of abuse, and Unity confirmed no exploitation or impact on its users and customers.

***

We thank our Bug Bounty community for your partnership this year and we welcome your feedback to help us keep our programme as productive as possible.