Max payout:
This guideline illustrates how we assess the security impact of Account Takeover (ATO) vulnerabilities. We cap the maximum base payout for an ATO vulnerability at $130,000* and then apply any applicable deductions based on required user interaction, prerequisites, and any other mitigating factors to arrive at the final awarded bounty amount.
Our payout guidelines are based on required user interaction, and we measure this based on how many clicks are required from the targeted person (in a reasonable scenario) in order for their account to be compromised. Visiting a malicious link would be considered a 1-click ATO.
Based on the type of interaction required by the target of the attack, we might apply additional deductions not listed here. An example interaction where we would apply a deduction is authorizing a malicious app.
These guidelines apply to our main technologies (Facebook, Instagram, and Meta accounts).
Maximum payouts
0-Click ATO
up to $130k* |
1-Click ATO
up to $50k* |
2-Click ATO
up to $25k* |
>2-Click ATO
up to $10k* |
This guideline illustrates how we assess the security impact of Business and Page Takeover vulnerabilities.
Maximum payouts
0-Click takeover
up to $50k* |
1-Click takeover
up to $25k* |
2-Click takeover
up to $12k* |
>2-Click takeover
up to $10k* |
Vulnerabilities that require a malicious app are deemed 1-Click Takeovers, and if the vulnerability requires special permissions on the app, each required permission counts as one additional click. That means a third-party app with public profile permission is already 1-Click, and each required permission on top of that adds one additional click.
©2024 Meta.