Terms & conditions

For you to participate in the program, we require that:

• You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
• You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
• If you inadvertently access another person's data or Meta company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Meta company data and notify Meta what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
• You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test. (This includes demonstrating additional risk, such as the risk that the security issue could be used to compromise sensitive company data or another user's account.)
• You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.
• You will receive updates from us regarding the status of your report and our progress toward resolution. Given that every vulnerability is different, the timing, extent, and verbosity of our updates to you will also differ, and will be within Meta’s sole discretion.
• Not be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Syria, the Crimea Region, or any other jurisdiction or area designated by the United States Treasury's Office of Foreign Assets Control).
• Not be employed by or a contractor/vendor of Meta or its subsidiaries or affiliates, or be an immediate family member of a person employed by Meta or its subsidiaries or affiliates (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
• Not be less than 14 years of age - if you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.