If you discover a bug or security vulnerability in Facebook, the best way to report it is through their bug bounty program on HackerOne. This allows you to disclose the issue in a responsible way and potentially get rewarded financially if it meets their bounty criteria.
What is Facebook’s bug bounty program?
Facebook runs a bug bounty program through the platform HackerOne. This is a way for security researchers to responsibly disclose bugs and vulnerabilities they find in Facebook’s online services. By submitting reports through this program, you give Facebook time to fix issues before making them public.
If the bug you submit is confirmed as a valid finding, you may be eligible for a financial reward through their bounty program. Payouts range from $500 to $50,000+ depending on the severity and type of report. Facebook’s bounty program helps incentivize researchers to keep their platform safe.
Why should I report bugs through the bounty program?
There are a few key reasons why using the official bounty program is better than publicly posting bugs:
- It gives Facebook time to ship fixes for the issue before it is made public
- You are less likely to put Facebook users at risk compared to irresponsible disclosure
- Valid reports are eligible for bounty payouts
- It establishes your reputation as an ethical security researcher
Facebook, and all major online platforms, take a very dim view of publicly posting unresolved bugs and vulnerabilities. So reporting through proper bounty channels is mutually beneficial.
What types of bugs are eligible?
Facebook considers a wide variety of bugs and vulnerabilities eligible for bounty rewards, including:
- Remote code execution
- SQL injection
- Authentication bypass
- Sensitive data exposure
- Privilege escalation
- Clickjacking and UI redress
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Information disclosure
- Business logic bugs
- Account takeovers
Issues that impact the confidentiality or integrity of user data are likely to qualify. Even lower severity bugs like CSRF may get bounties. The full list of eligible issues is on their program brief.
How much does Facebook pay for bugs?
Facebook uses a tiered bounty structure based on severity and exploitability:
| Bounty | Description |
|---|---|
| $500 | Low severity issues |
| $1,500 | Medium severity bugs |
| $5,000 | High severity reports with difficult exploit conditions |
| $10,000 | P1/Critical issues, or reports with easy exploitation |
Top awards of $50,000+ are reserved for incredibly severe vulnerabilities such as full account takeovers, private data leakage, or bugs that bypass core platform security controls.
In addition to per-bug bounties, Facebook may award bonuses for high quality, proactive research. The full details are on their HackerOne program page.
How do I submit a vulnerability report?
To submit a bug to the Facebook bounty program, follow these steps:
- Read Facebook’s full program brief and eligibility rules
- Set up a HackerOne account if you don’t have one
- Start preparing your report and any proofs of concept
- Submit the report through the HackerOne platform
- Be responsive to any followup questions from Facebook’s security team
- If confirmed valid, get paid!
Make sure your submission follows all the guidelines. Disorganized or poorly written reports are frustrating for security teams to parse. Craft your submission to emphasize the business risk and customer impact.
What if I find a bug on Instagram or WhatsApp?
Facebook’s bounty program covers Instagram, Messenger, Workplace, Oculus, and all their other apps and services. So you can use the same HackerOne channel to report bugs impacting any property owned by Facebook.
Issues specifically affecting WhatsApp are not covered currently. You will need to submit those through the separate WhatsApp bounty program.
Can I report bugs anonymously?
Yes, you can submit bug reports anonymously through HackerOne. However, keeping communication open is recommended for earning bounties. The Facebook security team may need to ask followup questions or require clarification on proof of concepts.
Having an established reputation on HackerOne can help fast track your submissions as a known security researcher. But anonymous reporters are still eligible for bounty awards.
What if Facebook ignores or declines my report?
It’s possible Facebook’s security team may not agree your bug constitutes a valid finding. If you believe they are incorrect in closing your report, politely share why you think it’s a security issue worth addressing. But keep in mind they make the final call.
For more ambiguous bugs rejected as out of scope, consider checking if they are possibly eligible under another major program on HackerOne. There are bounties for Google, Microsoft, Apple, and hundreds of other top companies.
If Facebook simply does not respond after a reasonable time, gently ping them for an update. But be patient – these teams deal with a high volume of submissions.
Can I get in trouble legally for submitting bugs?
When responsibly reporting bugs through an authorized bounty program like Facebook’s, you should not have to worry about potential legal issues. These programs exist specifically to encourage disclosure of vulnerabilities.
However, you should only interact with accounts and data specifically authorized in the bounty brief. Testing should not negatively disrupt Facebook’s services or compromise real user data. Unauthorized access attempts could cross legal boundaries.
As long as your research sticks to what is allowed by the program, and you have no malicious intent, submitting bugs is a legitimate activity protected by anti-hacking laws.
Are there any common mistakes to avoid?
Some common mistakes that new security researchers make when reporting bugs include:
- Submitting duplicate findings that are already known issues
- Writing overly vague or ambiguous reports
- Not including clear replication steps
- Failing to demonstrate actual impact
- Hyperbolic titles or claims in submissions
- Assuming the worst without evidence
Try to do your due diligence to avoid these pitfalls. Make your reports stand out with clear investigation, reproduction steps, and articulated impact focused on the user or customer.
Conclusion
Responsibly disclosing bugs directly to companies benefits both security researchers and platform users. While public disclosure can put users at risk, cooperating through authorized bounty programs allows issues to be fixed in a safe, legal way. So reporting Facebook bugs and vulnerabilities through their HackerOne bounty program is the best approach for all parties involved.