©2024 Meta.
Max payout:
These guidelines illustrate how we assess the security impact of bypassing 2-Factor Authentication (2FA bypass) types of vulnerabilities. We cap the maximum base payout for 2FA bypass at $20,000* and then apply any applicable deductions based on required user interaction, prerequisites, and any other mitigating factors to arrive at the final awarded bounty amount.
For valid reports identifying an Account Takeover (ATO) vulnerability which bypasses 2FA, we’ll issue a bounty award for both ATO and 2FA vulnerabilities.