Max payout:
These guidelines address our approach to analysing and determining impact for vulnerabilities affecting our platform privacy. We’ve provided below an overview of the bounties that we will reward for various bugs.
Infer which apps a given user has logged into with Facebook -$5,000* maximum bounty
Apps logged into by a given user through Facebook should not be visible to others.
Mitigating factors (deduct from maximum amount)
Privileged position (e.g., friends, group admin, malicious app install, etc.)
-$2.5k* |
Requires interaction from victim (e.g., clicking a link)
-$2.5k* |
Attacker needs to run point queries against victim
-$1k* |
Permission(s) required for reproduction (e.g., malicious app needs read_insights)
-$1k* |
One-off conditions or other setup
-$1k* |
When a user installs a third-party app, the developer receives an App Scoped User ID (ASID) which is unique to that app-user pair. Our platform surfaces should never return the global user ID and should always use the ASID. Furthermore, any endpoint that readily converts from ASID to global UserID would also be in scope.
Inferring UID from other means is out of scope.
ASIDs are an abstraction for consumer integrations only (e.g., business apps will get BSIDs, page apps will get PSIDs. Both BSIDs and PSIDs are out of scope).
When logging into an app with Facebook, users authorise the app to access certain fields of information about themselves on Facebook through user permissions. The developer should not be able to access/write to these fields unless granted the appropriate permissions (e.g., an app shouldn’t be able to infer friendship of 2 friends on Facebook, unless both grant the app permission to access their friend’s graph).
Note: Certain business permissions could have some implicit side effects upon information not directly covered. E.g., certain endpoints that require manage_pages could make trivial updates on the business that manages the app. Given the app already has a sensitive permission, small side effects are by design.If the endpoint covered by manage_pages also allows adding new pages to the business that would be in scope and is not expected as the app should then require manage_business permissions.
Payout matrix:
Business reads and writes on non-sensitive assets
Note: Certain reads on non-sensitive assets may potentially be deemed below the bar for a payout.
up to $500* |
Personal information such as Friends, Likes, Location, Hometown, Messenger contacts, Photos, Posts, Videos, Birthday, Gender, Age
up to $1k* |
Posting on behalf of others, takeover for sensitive assets (e.g., pages without having required permissions), account takeover
up to $5k* |
Mitigating factors (deduct from maximum amount)
One-off conditions or other setup
-$1k* |
©2024 Meta.