Once, I found a website about Apple giving money to whoever finds a bug on their apps and devices. But I didn’t know Facebook also has it. Facebook also has a bounty program to help them find bugs in their system and apps. How much does it pay?
Here’s a brief text from the Whitehat policy page on Facebook about the Bug Bounty Program:
“If you believe you have found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our responsible disclosure policy, reward guidelines, and those things that should not be reported.”
You can read the complete information about the bug bounty program on their Whitehat Information page. It seems the bug bounty program that Facebook offers started in 2011, ten (10) years ago. They operated their own bug bounty program where external researchers help improve the security and privacy of the website and their products by reporting potential security vulnerabilities.
To report a bug, go to the “Bug Bounty Program Processes” section on their Whitehat page and read the details. The program helps Facebook detect and fix problems faster to better protect the community. The rewards they pay to participants who qualify promote more high quality security research. More than 50,000 researchers joined the program over the past ten (10) years and about 1,500 researchers from 107 countries received a bounty.
In fall of 2020, Natalie Silvanovich of Google’s Project Zero reported a bug that could have permitted a sophisticated attacker signed in on Messenger for Android to initiate a call and send an accidental message type to someone logged in on Messenger for Android and another Messenger client like web browser all at the same time.
This would then trigger a scenario where while the device is ringing, the caller would start receiving audio either until the person answered the call or the call times out. To exploit this problem, the attacker would have to already have permissions to call the target person by passing specific eligibility checks like for example, being friends on Facebook.
The attacker also needs to use reverse engineering tools to manipulate their own Messenger app to force it to send a custom message. After fixing the bug server-side, Facebook’s security researchers applied extra protections against this problem across their apps that make use of the same protocol for 1:1 calling. This bug report made by Natalie Silvanovich is among the three (3) highest bug bounties at $60,000.
