Max payout:
These guidelines illustrate how we assess the impact of the report we receive for potential ads audience security weaknesses. We cap the maximum base payout for leaking PII (name, email, phone number, state, ZIP, gender) for ads audience as $30,000* and then apply any applicable deduction based on the required user interaction, prerequisites, and any other mitigation factors to arrive at the final awarded bounty amount.
Maximum payouts
Being able to leak multiple PII on behalf of any user (email, phone number, state, age, ZIP code, gender, etc. ) using Ads Audience
up to $30k* |
Being able to use audiences outside of shared relationships between businesses
up to $7.5k* |
Identifying audience composition across businesses
up to $5k* |
Abuse of sensitive expectations of different audiences
up to $5k* |
Mitigating factors (deduction from maximum amount)
We consider the following factors when deducting from the maximum payout to arrive at the final bounty amount:
Requires read actions (e.g. viewing an ad)
Note: multiple read actions -40% or higher
-30% or higher |
Requires write actions (e.g. clicking an ad, navigating to a malicious site)
Note: multiple write actions -60% or higher -50% or higher |
Has some requirements (e.g. known email/phone number), or has some limitations (e.g. only affects users with pages)
Note: -10% deduction per requirement/limitation
-10% or higher |
Please do not create or test against the following special ads category verticals.
Financial products or services.
Employments, housing, or credit ads.
Social issues, elections, or politics.
Attacks that require mass creation of audiences or are noisy attacks (e.g. require lots of requests), or don’t work at scale* would get additional deductions of 50%.
At scale* - Attack works without user interactions (e.g. no clicking on ads, or visiting malicious websites), and it can easily be executed against 100+ users in one go (not affected by rate limits).