Meta Bug Bounty scope

To be eligible for a bounty, you can report a security bug in one or more Meta technologies.

Note that third-party applications or websites not owned or controlled by Meta (e.g. WordPress VIP and Page.ly) are not within the scope of the program, except as outlined below. If you have any doubt as to whether a third-party application or website is in-scope, reach out to us before testing - this will help you avoid inadvertently testing an out-of-scope surface.

Program scope examples

If you are unsure whether a service is within the scope of the program or not, feel free to ask us. Below are some specific examples of in-scope and out-of-scope apps and websites to help guide your research.

Target

Eligible

Ineligible

Facebook

Websites:

facebook.com, fb.com, fb.me, thefacebook.com, m.facebook.com

Apps:

Facebook, Facebook Lite, Meta Business Suite, Meta Ads Manager

Websites:

fbsbx.com, investor.fb.com, accountkit.com

Apps:

Facebook for Blackberry, Facebook for Windows

Websites:

blog.whatsapp.com, translate.whatsapp.com, web.whatsapp.com, whatsapp.net, www.whatsapp.com

Apps:

WhatsApp, WhatsApp Business

Tech Stacks:

Private Processing

Website:

alpha.whatsapp.com, media.whatsapp.com

Instagram

Websites:

instagram.com, threads.com

Apps:

Instagram, Threads, Instagram Lite, Boomerang, Hyperlapse, Layout

Messenger

Websites:

messenger.com

Apps:

Messenger, Messenger Kids

Meta AI

Websites:

meta.ai

Meta Quest

Websites:

meta.com/quest/, oculus.com

Hardware:

All first party hardware

Software:

First party PC and mobile apps

Websites:

communityforums.atmeta.com

Ray-Ban Meta smart glasses

Hardware:

All first party hardware

Software:

Device software, firmware

Apps:

Meta View mobile app

Non-Meta hardware, software, and services, e.g. ray-ban.com

Important information

WhatsApp Private Processing

Access is by invitation only to validate the security of Meta’s Trusted Execution Environment, learn more about Private Processing .

Rewards for impactful findings is up to $300K USD.
The Private Processing stack runs inside secure virtual environments designed to protect sensitive data.
Setup guides and vetted testing artifacts are provided to help researchers get started quickly.
Learn more about how WhatsApp uses confidential computing to protect user data in the WhatsApp Private Processing engineering blog post .

Meta AI

The bug bounty program is interested in reports that demonstrate integral privacy or security issues associated with Meta's large language models, including being able to leak or extract training data through tactics like model inversion or extraction attacks.

Please report feedback that is outside the scope of the bug bounty program through one of these channels:

Reporting issues with the functionality or operation of the model: github.com/facebookresearch/llama and github.com/facebookresearch/codellama/ .
Reporting risky content generated by the models to help improve Llama, please submit the prompt and response pair to: developers.facebook.com/llama_output_feedback/ .
Reporting violations of Acceptable Use policy or unlicensed uses of Llama models: llamausereport@meta.com

Out of scope

Spam or social engineering techniques.
Denial-of-service attacks.
Content injection. Posting content on Facebook is a core feature, and content injection (also "content spoofing" or "HTML injection") is out of scope unless you can clearly demonstrate a significant risk.
Security issues in third-party apps or websites that integrate with Meta technologies (including most pages on apps.facebook.com), except in the specific circumstances described in “Meta Bug Bounty scope” (see above).
Executing scripts on sandboxed domains (such as fbrell.com or fbsbx.com). Using alert(document.domain) in your payload can help verify if the context is actually *.facebook.com.
Mobile app crash reports that are not reproducible on up to date OS versions or mobile devices released within the last 2 calendar years.

False positives

Open redirects. Any redirect using our Linkshim system is not an open redirect.
Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).
Note that public information also includes your username, ID, name, current cover photo, gender, and anything you’ve shared publicly (learn more)
Sending messages to anyone on Facebook (learn more)
Accessing photos via raw image URLs from our CDN (Content Delivery Network). One of our engineers has posted a more detailed explanation (external link).
Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems.
Missing attribution on page posts. We generally show page admins which admin created a post, but this is not a security control.

Meta Bug Bounty processes

We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at the discretion of Meta, based on risk, impact, number of vulnerable users, and other factors. To be considered for a bounty, you must meet the following requirements:

Adhere to our Responsible Research and Disclosure Policy and Safe Harbor Provisions (see above).
Report a security bug: that is, identify a vulnerability in our services or infrastructure (see program scope above) which creates a security or privacy risk. (Note that Meta ultimately determines the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.
Report a security bug involving one of the products or services that are within the scope of the program (see “Meta Bug Bounty scope” below). We specifically exclude certain types of potential security issues, listed under “Out of scope” and “False positives” (see below).
Submit your report via our "Report a Security Vulnerability" form (one issue per report) and respond to any follow-up requests from our staff for updates or further information. Please do not contact our staff directly or through other channels about a report.
- You will receive confirmation of our receipt of your report upon submission of the form.
Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account you are authorized to use (except for automated testing). Do not use or interact with any real account belonging to another person without explicit written consent of the account owner (e.g. do not test against Mark Zuckerberg’s account).
Before engaging in any action which may be inconsistent with or unaddressed by these terms of service, contact us for clarification by submitting a new submission with your question.

In turn, we will follow these guidelines when evaluating reports under our Meta Bug Bounty:

We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a follow-up reply.
We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $500*. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
We will generally pay lower reward amounts for in-scope vulnerabilities that are only exploitable through outdated versions of non-Meta developed software (e.g. a web browser), but we will still consider such reports.
We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Meta determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
You may donate a bounty to a recognized charity (subject to approval by Meta). In fact, we double bounty amounts that are donated in this way.
We reserve the right to publish reports (and accompanying updates).
We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation on the list is then optional. We reserve the right to limit or modify the information accompanying your name in the list.
We verify that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
Meta may share report information, such as severity levels, payout amounts, and if you provide consent, Researcher ID with Bugcrowd and HackerOne for the purpose of processing bounty payouts.

We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

Qualifying individuals who submit a valid report to Meta that results in a payout according to these Terms will automatically be enrolled in our Hacker Plus rewards program for the opportunity to gain league status within the program and receive rewards, subject to verification and in accordance with the league in which they have qualified. There is no purchase necessary to participate in this program and a purchase will not increase your chances of receiving a reward. Participation in this program is void where prohibited by law. All rewards and participation are governed by our full Hacker Plus terms and conditions, which can be found here: https://bugbounty.meta.com/hackerplus/terms. Meta may offer features allowing participants to publicly display certain information about their participation in this program within a researcher profile, such as profile information, the league achieved, and related badges, points, score, signal-to-noise ratio, and other statistics. If you choose to share your information through this feature, this information will be public and others, including people without a Facebook account, may use it or share it with third parties.

Third party applications or websites

Vulnerabilities in third-party apps or websites that integrate with Meta technologies (including most pages on apps.facebook.com) are within scope only where the following conditions are met:

The vulnerability is found in one of the following two ways:

through passively viewing data sent to or from your device while using the app or website. You are not permitted to manipulate any request sent to the app or website from your device or to otherwise interfere with the ordinary functioning of the app or website in connection with the research supporting your report. (For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope.)
OR
other activity authorized by the third party responsible for the app or website, for example under the terms of the third party's own vulnerability disclosure or Meta Bug Bounty. Terms for Meta Bug Bounty do not provide any authorization allowing you to test an app or website controlled by a third-party. Please only share details of a vulnerability if permitted to do so under the third party's applicable policy or program. Your report should include a link to the third party's vulnerability disclosure or Meta Bug Bounty, or to any authorization received from the third party for the activity underlying your report.

The vulnerability must have some potential impact on Meta user data or systems (e.g. access token disclosure).

Whether we will pay any award in response to a report of a vulnerability affecting a third-party app or website (and if so, how much) is completely within our discretion. Factors that will influence our award decision include, but are not limited to, our ability to verify the vulnerability and ensure that it is remediated, the number of Facebook users potentially affected (we generally will only provide a bounty when over 200,000 Facebook users may be potentially affected), and the extent of the potential impact the vulnerability could have on Meta user data or systems if left unfixed. Receiving an award through the relevant third party's Meta Bug Bounty does not disqualify you from receiving an award through Meta Bug Bounty if submitted in compliance with these terms.

Conditions for closing reports as invalid

The main reasons why we close reports as invalid (informative/not applicable) are:

The report is not describing a security issue, but rather a general software bug. Many software bugs are not security issues when they don't cause security or privacy risk.
The report is describing a missing feature or a feature improvement suggestion.
The issue reported is out of the scope of our bug bounty program. If you reported an issue that is not affecting Meta products, or the issue is caused by something that is out of Meta's control, it will not be eligible for our bug bounty program. For example, a security issue in Android OS may affect Facebook users that are using Android, but we cannot take action on that issue as Android is not owned by Meta.
The scenario described in the report is a social engineering scenario or a spam attack. We are aware of the risks caused by these attacks, and we are doing our best to monitor and prevent these attacks, but they are not considered in scope for our bug bounty program.
The reported issue falls below the bar for a monetary reward.

Learn more

Payout guidelines

Meta Bug Bounty terms

Data abuse