©2024 Meta.
To be eligible for a bounty, you can report a security bug in one or more Meta technologies.
Note that third-party applications or websites not owned or controlled by Meta (e.g. WordPress VIP and Page.ly) are not within the scope of the program, except as outlined below. If you have any doubt as to whether a third-party application or website is in-scope, reach out to us before testing - this will help you avoid inadvertently testing an out-of-scope surface.
If you are unsure whether a service is within the scope of the program or not, feel free to ask us. Below are some specific examples of in-scope and out-of-scope apps and websites to help guide your research.
Please report feedback that is outside the scope of the bug bounty program through one of these channels:
We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
Qualifying individuals who submit a valid report to Meta that results in a payout according to these Terms will automatically be enrolled in our Hacker Plus rewards program for the opportunity to gain league status within the program and receive rewards, subject to verification and in accordance with the league in which they have qualified. There is no purchase necessary to participate in this program and a purchase will not increase your chances of receiving a reward. Participation in this program is void where prohibited by law. All rewards and participation are governed by our full Hacker Plus terms and conditions, which can be found here: https://bugbounty.meta.com/hackerplus/terms. Meta may offer features allowing participants to publicly display certain information about their participation in this program within a researcher profile, such as profile information, the league achieved, and related badges, points, score, signal-to-noise ratio, and other statistics. If you choose to share your information through this feature, this information will be public and others, including people without a Facebook account, may use it or share it with third parties.
The vulnerability is found in one of the following two ways:
The vulnerability must have some potential impact on Meta user data or systems (e.g. access token disclosure).
Whether we will pay any award in response to a report of a vulnerability affecting a third-party app or website (and if so, how much) is completely within our discretion. Factors that will influence our award decision include, but are not limited to, our ability to verify the vulnerability and ensure that it is remediated, the number of Facebook users potentially affected (we generally will only provide a bounty when over 200,000 Facebook users may be potentially affected), and the extent of the potential impact the vulnerability could have on Meta user data or systems if left unfixed. Receiving an award through the relevant third party's Meta Bug Bounty does not disqualify you from receiving an award through Meta Bug Bounty if submitted in compliance with these terms.
The main reasons why we close reports as invalid (informative/not applicable) are: