Max payout:
These guidelines relate to native bugs in mobile apps. “Native bugs” refer to issues unique to languages like C and C++, where memory corruption and mismanagement can lead to information disclosure or remote code execution. Some of the Meta apps rely on C and C++ code, and these guidelines apply specifically to the Android and iOS versions of Facebook, Messenger, Instagram, Threads and WhatsApp.
Payouts are determined by the amount of user interaction required. User interaction for exploits is commonly measured in “clicks” — the number of actions the targeted user has to perform to trigger the exploit. For example, no user interaction is 0-click and answering a call or opening a message thread is 1-click.
The maximum payout for a full RCE exploit is $300,000*. To receive the maximum payout, reports must include a robust proof of concept using any one of the last three (including current) major versions of Android in simulator or a Pixel device, or an iOS version that's currently supported by Apple. The exploit has to demonstrate the ability to execute arbitrary code, not just crash the app. This payout cannot be combined with any other payouts, i.e., submitting 2+ vulnerabilities as part of an exploit chain (e.g., 1 RCE and 1 Info disclosure) will be awarded the maximum payout of $300,000* despite the multiple vulnerabilities.
The maximum payout for a proof of concept of an exploitable crash is $120,000*. Demonstration of exploitability should be accompanied by a detailed technical explanation of how RCE is possible.
We will adjust the payout with a multiplier based on the number of clicks:
0-Click RCE
1x |
1-Click RCE
0.75x |
2+ Click RCE 0.5x |
These top payouts are for memory disclosure bugs that disclose sensitive user data such as personal information, message content, pointer values, or encryption keys. We cap the maximum payout for a memory disclosure bug at $20,000* and then apply the same multipliers based on the number of clicks required.
Denial of Service (DoS) vulnerabilities will have a maximum payout of up to $3,000* for persistent (app is unusable and needs a full reinstall or further actions to recover) and $500* for temporary DoS (app crash but recovers on restart). We will adjust the payout with a multiplier based on clicks for persistent DoS reports, but not for temporary DoS reports. DoS against server infrastructure is out of scope.
Targets not explicitly covered by this policy: For targets beyond Facebook, Messenger, Instagram, Threads and WhatsApp, we will apply a maximum of a 0.5x multiplier solely within Meta discretion with factors such as risk and product impact taken into account on a case by case basis. This multiplier will apply to all payout categories.
For example, a proof of concept of a 1-click RCE vulnerability that does not apply to Facebook, Messenger, Instagram, Threads or WhatsApp, the total payout will be up to: $120,000* x 0.75 (1-click RCE multiplier) * 0.5 (non-Facebook/Messenger/Instagram/Threads/WhatsApp target multiplier) = $45,000*
©2024 Meta.