Facebook increases the average payout for security researchers to encourage them to find high impact Vulnerabilities. The researchers who find account takeover vulnerabilities that lead to full account takeover without user consent will be rewarded up to $40,000.
The change in payout for bounties applicable to other products owned by Facebook including Instagram, WhatsApp, and Oculus.
High Impact Vulnerabilities
For researchers who detect a complete account takeover, including access tokens leakage or the ability to access users’ valid sessions are rewarded with the bounty of $40,000 for vulnerabilities without user interaction and $25,000 for the one with minimum user interaction.
Last September Facebook revealed a security breach that exposes 50 million accounts access tokens, hackers steal the access tokens by exploiting a bug in View As a feature.
Our goal is to ensure that these vulnerabilities such as the one disclosed in September are reported to us in the most responsible and timely manner.
The account takeover vulnerability allows an attacker to take complete control over the user account and access victims’ personal and group conversations, photos, videos, and other shared files, contact lists, and more.
The social media giant recently introduced Rewards for Rewards for Access Token Exposure, under this researchers will be rewarded for finding vulnerabilities in third-party apps and websites that exposes Facebook user access tokens.
“While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities reads facebook post.”
Bug Bounty program employs crowdsource security researchers will diverse skill set covering a wide of vulnerability scenarios and advanced threats. There are many apprehensions and misconceptions among large organizations about bug bounty programs regarding trust, talent base, managing security researchers, and more.