Meta releases new payout guidelines for bug bounty program devices

Associated Press/Tony Avelar

Meta, the parent company of Facebook, announced on Friday that it was adding new payout guidelines for how the company would assess submissions in its bug bounty program related to its Reality Labs hardware.

Meta’s bug bounty program, which was established over a decade ago, allows security researchers to identify different bugs and vulnerabilities that can impact the safety of its products and code. 

Meta’s payout guideline update pertains to Reality Labs devices including its Ray-Ban Stories, Meta Portal and Meta Quest 2; the guideline provides guidance on how the company reviews possible consequences and effects from bug submissions and how bounties are ultimately determined.

Bugs and vulnerabilities for these devices can include local data storage issues, unauthorized camera and mic access or issues stemming from possibly malicious third-party apps. Depending on the type of bug or vulnerability identified, researchers can be paid between $500 and $30,000.

Meta noted that if researchers can make the case that privacy risks, physical safety risks or safety concerns could be an outcome from the bugs or vulnerabilities identified, those will also be taken into consideration in their final payout.

“If a researcher demonstrates in a bug report that their finding could potentially result in physical health, safety, or privacy risks, we’ll also take these impacts into consideration when determining the overall bounty payout,” Meta said, according to its blog post. “As we’ve done since establishing the bug bounty program more than 10 years ago, the final payout amount will be based on the maximum possible security impact of a bug submission.”

“We have an opportunity and responsibility to develop the frameworks, infrastructure, and tools needed to protect people and their data in these new, interconnected digital spaces,” Facebook’s parent company noted.

“As part of that effort, we’re continuing to evolve our security best practices and work with the global security community to further strengthen our products’ security and keep people safe,” it added.

Meta began posting guidelines for its bug bounty payouts earlier this year.

Correction: This article has been updated to reflect that Meta has added new payout guidelines to its bug bounty program for Reality Labs devices. 

Updated 6:38 p.m.

Tags Facebook Meta

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.