- In 2024, our bug bounty program awarded greater than $2.3 million in bounties, bringing our complete bounties for the reason that creation of our program in 2011 to over $20 million.
- As a part of our defense-in-depth strategy, we continued to collaborate with the safety analysis neighborhood within the areas of GenAI, AR/VR, advertisements instruments, and extra.
- We additionally celebrated the safety analysis performed by our bug bounty neighborhood as a part of our annual bug bounty summit and plenty of different business occasions.
As we embark on a brand new 12 months, we’re sharing a number of updates on our work with exterior bug bounty safety researchers to assist defend our international neighborhood and platforms. This consists of new payout stats, particulars on what’s in scope for GenAI-related bug stories, and a recap of a few of our engagements all through final 12 months with bug bounty researchers.
Highlights from Meta’s bug bounty program in 2024
In 2024, we acquired almost 10,000 bug stories and paid out greater than $2.3 million in bounty awards to researchers all over the world who helped make our platforms safer.
- Since 2011, we have now paid out greater than $20 million in bug bounties.
- Final 12 months, we acquired almost 10,000 stories and paid out awards on almost 600 legitimate stories.
- In 2024, we awarded greater than $2.3 million to just about 200 researchers from greater than 45 international locations.
- The highest three international locations based mostly on bounties awarded final 12 months are India, Nepal, and the US.
Partaking researchers in bug looking in GenAI
After making our generative AI features available to security researchers by way of our long-running bug bounty program in 2023, Meta has continued to roll out new GenAI merchandise and instruments. In 2024, we supplied extra particulars to our analysis neighborhood on what’s in scope for bug bounty reports related to our large language models (LLMs). We now welcome stories that reveal integral privateness or safety points related to Meta’s LLMs, together with with the ability to extract coaching knowledge by way of ways like mannequin inversion or extraction assaults.
We now have already acquired a number of impactful stories targeted on our GenAI instruments, and we stay up for persevering with this necessary work with our neighborhood of researchers to assist make sure the safety and integrity of our GenAI instruments.
Encouraging safety analysis in advertisements viewers and {hardware} merchandise
This 12 months, we prioritized our efforts to steer safety analysis by the bug bounty neighborhood in the direction of a lot of product surfaces, together with:
Advertisements viewers instruments designed to assist individuals select a target market for his or her advertisements: We introduced new payout guidelines to offer transparency to our safety researchers on how we assess the impression of the report we obtain for potential safety bugs in Meta’s ads audience tools. We cap the utmost base payout for locating PII (title, electronic mail, cellphone quantity, state, ZIP, gender) for an advertisements viewers at $30,000 after which apply any relevant deduction based mostly on the required person interplay, stipulations, and another mitigation elements to reach on the ultimate awarded bounty quantity. Extra particulars here.
Blended actuality {hardware} merchandise: As Meta continues to roll out mixed reality products, we work to encourage safety analysis into these {hardware} and AI-driven applied sciences to assist us discover and repair potential bugs as shortly as attainable. In 2024, our bug bounty researchers contributed stories on potential points in Quest that would have impacted security settings or result in reminiscence corruption. We additionally introduced our Quest 3 and Ray-Ban Meta glasses to hardwear.io USA 2024, a number one convention that brings collectively prime {hardware} hackers to check new {hardware} merchandise and assist uncover potential vulnerabilities.
Constructing and celebrating the worldwide bug bounty neighborhood
As a part of our steady dedication to safety analysis – each inside and out of doors Meta – we invested in enabling open collaboration with our bug bounty neighborhood by:
Organizing neighborhood occasions and presenting joint analysis: We hosted our annual Meta Bug Bounty Researcher Convention (MBBRC) in Johannesburg, South Africa, bringing collectively 60 of our prime researchers from everywhere in the world. We acquired greater than 100 bug stories and awarded over $320,000 in complete. We additionally co-presented talks at EkoParty, DEF CON, Hardwear.io, Pwn2own, and different safety analysis summits. This 12 months, we’re happy to share that 2025 MBBRC can be hosted in Tokyo, Japan Might 12-15. Keep tuned for extra particulars in 2025.
Celebrating long-time researchers: One among our most long-standing and prolific researchers, Philippe Harewood, reached a 10-year milestone with over 500 legitimate stories paid out by our bug bounty program. Noteworthy contributions over time embrace Philippe’s groundbreaking analysis on Instagram access token leak, video capture limit bypass on Ray-Ban stories, and extra.
Offering assets and well timed updates for the analysis neighborhood: The Meta Bug Bounty website serves as a centralized hub for all bug bounty information and updates. Researchers may also observe this system on Instagram, Facebook, and X, for fast updates.
Trying forward
Meta’s bug bounty group appears to be like ahead to introducing new initiatives and persevering with to have interaction with our present neighborhood and new researchers who’re simply getting began. Moreover, we’ll proceed to offer seasoned consultants with distinctive alternatives to check unreleased options by way of our personal bug bounty tracks.
For the previous 14 years, our bug bounty program has fostered a collaborative relationship with exterior researchers that has helped maintain our platforms safer and safer. We want to prolong a heartfelt due to everybody who contributed to the expansion of our program in 2024.
