Meta
Meta
FacebookInstagramXYouTube
Meta Bug Bounty
Meta Bug Bounty overviewLeaderboardsProgram scopeProgram termsHacker Plus benefitsHacker Plus terms
Program tools
SSRF validatorTest accountsFBDLAccess token debuggerGraph API explorer
Payout guidelines
Payout guidelines overviewMobile remote code executionAccount take-overMeta hardware devicesServer side request forgery (SSRF)Platform privacy assertions2FA bypassContact point deanonymizationPage admin disclosureCross-site leaks
Data Abuse program
Data Abuse program overviewData Abuse termsReport abuseManage reports
Site terms and policies
Privacy policyTermsCookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Legal
* All payout amounts are in USD

©2025 Meta.

Skip to main content
Meta
Meta Bug Bounty
Tools
Leaderboard
Learn
Submit a report

Mobile remote code execution

Max payout:

$300k*

Guidelines

These guidelines relate to native bugs in mobile apps. “Native bugs” refer to issues unique to languages like C and C++, where memory corruption and mismanagement can lead to information disclosure or remote code execution. Some of the Meta apps rely on C and C++ code, and these guidelines apply specifically to the Android and iOS versions of Facebook, Messenger, Instagram, Threads and WhatsApp.

Payouts are determined by the amount of user interaction required. User interaction for exploits is commonly measured in “clicks” — the number of actions the targeted user has to perform to trigger the exploit. For example, no user interaction is 0-click and answering a call or opening a message thread is 1-click.

Payouts

Remote code execution
up to
$300k*

The maximum payout for a full RCE exploit is $300,000*. To receive the maximum payout, reports must include a robust proof of concept using any one of the last three (including current) major versions of Android in simulator or a Pixel device, or an iOS version that's currently supported by Apple. The exploit has to demonstrate the ability to execute arbitrary code, not just crash the app. This payout cannot be combined with any other payouts, i.e., submitting 2+ vulnerabilities as part of an exploit chain (e.g., 1 RCE and 1 Info disclosure) will be awarded the maximum payout of $300,000* despite the multiple vulnerabilities.

The maximum payout for a proof of concept of an exploitable crash is $120,000*. Demonstration of exploitability should be accompanied by a detailed technical explanation of how RCE is possible.

We will adjust the payout with a multiplier based on the number of clicks:

0-Click RCE
1x
1-Click RCE
0.75x
2+ Click RCE
0.5x
Memory / info disclosure
up to
$20k*

These top payouts are for memory disclosure bugs that disclose sensitive user data such as personal information, message content, pointer values, or encryption keys. We cap the maximum payout for a memory disclosure bug at $20,000* and then apply the same multipliers based on the number of clicks required.

Denial of service (DoS)
up to
$5k*

Denial of Service (DoS) vulnerabilities will have a maximum payout of up to $5,000* for persistent (app is unusable and needs a full reinstall or further actions to recover) and $500* for temporary DoS (app crash but recovers on restart). We will adjust the payout with a multiplier based on clicks for persistent DoS reports, but not for temporary DoS reports. DoS against server infrastructure is out of scope.

Additional considerations

Targets not explicitly covered by this policy: For targets beyond Facebook, Messenger, Instagram, Threads and WhatsApp, we will apply a maximum of a 0.5x multiplier solely within Meta discretion with factors such as risk and product impact taken into account on a case by case basis. This multiplier will apply to all payout categories.

For example, a proof of concept of a 1-click RCE vulnerability that does not apply to Facebook, Messenger, Instagram, Threads or WhatsApp, the total payout will be up to: $120,000* x 0.75 (1-click RCE multiplier) * 0.5 (non-Facebook/Messenger/Instagram/Threads/WhatsApp target multiplier) = $45,000*