©2024 Meta.
Max payout:
These guidelines refer to bugs that enable matching of Uniquely Identifiable Information (UII) to User ID (UID). This includes bugs that allow for mapping between contact points like email addresses and phone numbers to Facebook UIDs, such reports must demonstrate the ability to obtain one or more contact points (i.e. phone number or email) from an account that has their settings for “Who can look you up using the email address or phone number you provided” configured to “Only Me” or “Friends”.
This category has a wide range of potential bounty amounts as they are dependent on the list of factors below. We typically cap these bugs at $10,000* and then apply any applicable deductions to arrive at the final bounty amount.Maximum payouts
Bugs that enable identifying a contact point such as email or phone number that matches a known user ID
up to $10k* |
Bugs that enable identifying a user ID matching a known contact point (inverse direction)
up to $7.5k* |
Point queries that confirm if user A has a contact point X
up to $5k* |
Bugs that enable identifying a contact point such as email or phone number matching a user’s known first and last name (rather than UID or the username)
up to $3k* |
Mitigating factors (deduct from maximum amount)
We consider the following factors when deducting from the maximum payout to arrive at the final bounty amount:
User interaction required in order to execute the exploit
Note: Depending on the likelihood and type of interaction
-50% or higher |
Whether the attacker must be in a privileged position to execute the reported scenario (e.g., friend connection on our platform)
Note: Depending on the required position -90% or higher |
Whether a reported scenario applies to Workplace, as corporate emails are more likely to be public or easily guessable.
Note: Corporate emails are more likely to be advertised publicly and share the same domain, e.g., @fb.com
-$500* |
Reports that use noisy attack vectors to infer the mapping will receive a bounty of $1,000* or below