©2024 Meta.
Max payout:
XS-Leak or cross-site leaks refers to a family of browser side-channel techniques that can be used to infer and gather information about users, often based on things like HTTP status code leaks, window.open relations or timing attacks.
To test for XSLeak bugs, please use browsers that support SecFetch and Cross-Origin-Opener-Policy (COOP) headers. We are constantly working on and improving our existing protections but we also rely on browsers to enforce the aformentioned policies properly. If we trace the root cause of an XSLeak to an older browser version or a browser implementation mistake, we will not reward that finding.
We base our payouts on 2 factors, first the type of data that is being leaked and second the attack vector. We will issue higher payouts for submissions that point out a new attack vector that we were not aware of, or if it bypasses our existing security frameworks. However, issues identifying individual endpoints that currently lack protections will receive a lower payout.
Maximum payout
Being able to query the user ID of the current user.
$3k* |
Being able to point query if the current user is a certain user ID.
$2k* |
Mitigating factors
To qualify for this payout, the attack must be scalable against a list of user IDs.
|
Maximum payout
Being able to leak any information that the search bar allows you to query. Including words/digits in private posts, private groups, friend interactions and anything that Graph search allows.
$5k* |
Mitigating factors (deduct from maximum amount)
If the attack requires a new browser tab.
-$1.5k* |
Maximum payout
Being able to figure out the exact location of someone accurate on the ZIP code level.
$1.5k* |
Mitigating factors (deduct from maximum amount)
If the attack requires a new browser tab.
-$250* |
If the information cannot be binary-searched.
-$750* |
If the location is based on the user's IP address.
Out of scope |
Maximum payout
Being able to figure out if one's age falls into 13, 14, 15, 16, 17, 18+, 19, 21, 25+ ranges.
$750* |
Being able to figure out the exact age of someone.
$1k* |
Mitigating factors (deduct from maximum amount)
If the attack requires a new browser tab.
-$250* |
Maximum payout
Being able to point query if someone has a role on the page.
$1.25k* |
Mitigating factors (deduct from maximum amount)
If the attack requires a new browser tab.
-$750* |
Maximum payout
Issues with significant limitations around scalability or around the leaked data.
$500* - $750* |