Max payout:
These guidelines show how we assess the impact of Server Side Request Forgery (SSRF) type of vulnerabilities. We cap the maximum payout for an SSRF at $40,000* and then apply any applicable deductions to arrive at the final awarded bounty amount.
In order to help our researchers, we have set up a canary endpoint for researchers to test potential SSRF findings. If you manage to hit the internal link, it will raise an alert for Meta Security to investigate. To note, if you are able to retrieve the canary token (which means that you can read data from the SSRF), please be sure to include the canary token in your submission.
The SSRF test endpoint: https://www.internalfb.com/intern/bug-bounty/get-canary-token/Maximum payouts
SSRF in production and reading the response (must include canary in your report)
up to $40k* |
Blind SSRF in production and not reading the response (must trigger the canary alert)
up to $30k* |
Hitting arbitrary endpoints within a corporate network (e.g. through an unpatched CVE on a third-party system)
up to $10k* |
If you can only hit a small number of endpoints within the corporate network (e.g. a small set of hosts or loopback only)
up to $1k* |
$5,000* - A bonus is applied if you demonstrate full control of the HTTP request (e.g. can easily modify the method, or the content type)
A deduction is applied if the request is rate limited or is only made after a certain period of time (e.g. a script running once a day which then fetches the provided URL)