Cross-site leaks

XS-Leak or cross-site leaks refers to a family of browser side-channel techniques that can be used to infer and gather information about users, often based on things like HTTP status code leaks, window.open relations or timing attacks.

To test for XSLeak bugs, please use browsers that support SecFetch and Cross-Origin-Opener-Policy (COOP) headers. We are constantly working on and improving our existing protections but we also rely on browsers to enforce the aformentioned policies properly. If we trace the root cause of an XSLeak to an older browser version or a browser implementation mistake, we will not reward that finding.

We base our payouts on 2 factors, first the type of data that is being leaked and second the attack vector. We will issue higher payouts for submissions that point out a new attack vector that we were not aware of, or if it bypasses our existing security frameworks. However, issues identifying individual endpoints that currently lack protections will receive a lower payout.

Payouts

Identification

up to

$3k*

Maximum payout

Being able to query the user ID of the current user.

$3k*

Being able to point query if the current user is a certain user ID.

$2k*

Mitigating factors

To qualify for this payout, the attack must be scalable against a list of user IDs.

Search bar

up to

$5k*

Maximum payout

Being able to leak any information that the search bar allows you to query. Including words/digits in private posts, private groups, friend interactions and anything that Graph search allows.

$5k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.

-$1.5k*

Location

up to

$1.5k*

Maximum payout

Being able to figure out the exact location of someone accurate on the ZIP code level.

$1.5k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.

-$250*

If the information cannot be binary-searched.

-$750*

If the location is based on the user's IP address.

Out of scope

Age

up to

$1k*

Maximum payout

Being able to figure out if one's age falls into 13, 14, 15, 16, 17, 18+, 19, 21, 25+ ranges.

$750*

Being able to figure out the exact age of someone.

$1k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.

-$250*

Page role

up to

$1.25k*

Maximum payout

Being able to point query if someone has a role on the page.

$1.25k*

Mitigating factors (deduct from maximum amount)

If the attack requires a new browser tab.

-$750*

Less impactful leaks

up to

$750*

Maximum payout

Issues with significant limitations around scalability or around the leaked data.

$500* - $750*

Guidelines

Payouts