Meta
Meta
FacebookInstagramXYouTube
Meta Bug Bounty
Meta Bug Bounty overviewLeaderboardsProgram scopeProgram termsHacker Plus benefitsHacker Plus terms
Program tools
SSRF validatorTest accountsFBDLAccess token debuggerGraph API explorer
Payout guidelines
Payout guidelines overviewMobile remote code executionAccount take-overMeta hardware devicesServer side request forgery (SSRF)Platform privacy assertions2FA bypassContact point deanonymizationPage admin disclosureCross-site leaks
Data Abuse program
Data Abuse program overviewData Abuse termsReport abuseManage reports
Site terms and policies
Privacy policyTermsCookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Site terms and policies
Privacy policy
Terms
Cookie policy
Meta Bug Bounty
Meta Bug Bounty overview
Leaderboards
Program scope
Program terms
Hacker Plus benefits
Hacker Plus terms
Program tools
SSRF validator
Test accounts
FBDL
Access token debugger
Graph API explorer
Payout guidelines
Payout guidelines overview
Mobile remote code execution
Account take-over
Meta hardware devices
Server side request forgery (SSRF)
Platform privacy assertions
2FA bypass
Contact point deanonymization
Page admin disclosure
Cross-site leaks
Data Abuse program
Data Abuse program overview
Data Abuse terms
Report abuse
Manage reports
Site terms and policies
Privacy policy
Terms
Cookie policy
Legal
* All payout amounts are in USD

©2025 Meta.

Skip to main content
Meta
Meta Bug Bounty
Tools
Leaderboard
Learn
Submit a report

Cross-site leaks

Max payout:

$5k*

Guidelines

XS-Leak or cross-site leaks refers to a family of browser side-channel techniques that can be used to infer and gather information about users, often based on things like HTTP status code leaks, window.open relations or timing attacks.

To test for XSLeak bugs, please use browsers that support SecFetch and Cross-Origin-Opener-Policy (COOP) headers. We are constantly working on and improving our existing protections but we also rely on browsers to enforce the aformentioned policies properly. If we trace the root cause of an XSLeak to an older browser version or a browser implementation mistake, we will not reward that finding.

We base our payouts on 2 factors, first the type of data that is being leaked and second the attack vector. We will issue higher payouts for submissions that point out a new attack vector that we were not aware of, or if it bypasses our existing security frameworks. However, issues identifying individual endpoints that currently lack protections will receive a lower payout.

Payouts

Identification
up to
$3k*

Maximum payout

Being able to query the user ID of the current user.
$3k*
Being able to point query if the current user is a certain user ID.
$2k*

Mitigating factors

To qualify for this payout, the attack must be scalable against a list of user IDs.
Search bar
up to
$5k*

Maximum payout

Being able to leak any information that the search bar allows you to query. Including words/digits in private posts, private groups, friend interactions and anything that Graph search allows.
$5k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.
-$1.5k*
Location
up to
$1.5k*

Maximum payout

Being able to figure out the exact location of someone accurate on the ZIP code level.
$1.5k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.
-$250*
If the information cannot be binary-searched.
-$750*
If the location is based on the user's IP address.
Out of scope
Age
up to
$1k*

Maximum payout

Being able to figure out if one's age falls into 13, 14, 15, 16, 17, 18+, 19, 21, 25+ ranges.
$750*
Being able to figure out the exact age of someone.
$1k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.
-$250*
Page role
up to
$1.25k*

Maximum payout

Being able to point query if someone has a role on the page.
$1.25k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.
-$750*
Less impactful leaks
up to
$750*

Maximum payout

Issues with significant limitations around scalability or around the leaked data.
$500* - $750*