Meta's Bug Bounty Program Shows $2m Awarded in 2022

Written by

Social media giant Meta has awarded a total of $2m as part of its bug bounty program. The total amount since the program's establishment in 2011 is reportedly $16m.

The figures come from a blog post Meta published on Thursday looking back at the highlights from the company's bug bounty program over the last decade.

"We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure," Meta wrote.

Since 2011, the company said it had received more than 170,000 reports, of which over 8500 were awarded a bounty. The numbers for 2022 alone were 10,000 reports, with issued rewards on more than 750.

Meta also recently released new payout guidelines for mobile remote code execution (RCE) bugs and account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.

They range as high as $130,000 for ATO reports and $300,000 for mobile RCE bugs.

"These guidelines are intended to set an average maximum payout for a particular bug category and describe what mitigating factors we consider in determining the bounty to help researchers prioritize their hunting," Meta wrote.

"Ultimately, each report is evaluated on a case-by-case basis and could, in some cases, be awarded higher than the cap depending on the internally assessed impact."

Under the new guidelines, Meta said it has awarded security researcher Yaala Abdellah $163,000 for identifying a bug in Facebook's account recovery flow potentially enabling an attacker to reset passwords and take over an account if it wasn't protected by 2FA.

"We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone's phone number," Meta added. "We awarded a $27,200 bounty for this report."

The new guidelines come weeks after Meta was fined €265m ($275m) in Ireland concerning a large-scale data leak that occurred earlier in the year.

What’s hot on Infosecurity Magazine?