(Last updated 12 September 2018)
If you believe you have found a security vulnerability on Facebook (or another member of the Facebook family of companies), we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our responsible disclosure policy, reward guidelines, and those things that should not be reported.
If you are looking to report another type of issue, please use the links below for assistance.
If your account or a friend’s account is sending out suspicious links: https://www.facebook.com/help/hacked
To report abuse: https://www.facebook.com/help/reportlinks
For any other questions or concerns, please visit our Help Center: https://www.facebook.com/help
For program updates and news from our Bug Bounty team, please Like our Facebook page: https://www.facebook.com/bugbounty
If you comply with the policies below when reporting a security issue to Facebook, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:
You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you first need to meet the following requirements:
Adhere to our Responsible Disclosure Policy (see above).
Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Facebook ultimately determines the risk of an issue, and that many software bugs are not security issues.)
Your report must describe a problem involving one of the products or services listed under “Bug Bounty Program Scope” (see below).
We specifically exclude certain types of potential security issues; these are listed under “Out of Scope and False Positives” (see below).
Submit your report via our “Report a Security Vulnerability” form (one issue per report) and respond to the report with any updates. Please do not contact employees directly or through other channels about a report.
If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.
Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account (except for automated testing). Do not interact with other accounts without consent (e.g. do not test against Mark Zuckerberg’s account).
In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $500. Note that extremely low-risk issues may not qualify for a bounty at all.
We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Facebook determines duplicates and may not share details on the other reports.) A given bounty is only paid to one individual.
You may donate a bounty to a recognized charity (subject to approval by Facebook), and we double bounty amounts that are donated in this way.
We reserve the right to publish reports (and accompanying updates).
We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation is then optional. We reserve the right to limit or modify the information accompanying your name in the list.
We verify that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
From time to time, Facebook may offer promotions in connection with the Bug Bounty Program. Reports submitted according to these terms may be subject to additional governing rules for that promotion as described in those rules, which are or will be made available here and are incorporated into these terms through this reference: https://www.facebook.com/whitehat/promotion/.
Note that your use of Facebook services and the services of any member of the Facebook family of companies, including for purposes of this program, is subject to Facebook’s Terms and Policies and the terms and policies of any member of the Facebook family of companies whose services you use. We (and any member of the Facebook family of companies that is the subject of your report) may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
To qualify for a bounty, report a security bug in Facebook or one of the following qualifying products or acquisitions:
Internet.org / Free Basics
Open source projects by Facebook (e.g. osquery)
Note that services not owned by Facebook (e.g. WordPress VIP and Page.ly) are not eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services from other companies.
Note, too, that vulnerabilities in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com) are generally not within the scope of our bug bounty program. Currently, the only exception is for security bugs resulting in the exposure of Facebook user access tokens to unauthorized entities. We will accept reports of such vulnerabilities, but only if the bug is discovered by passively viewing the data sent to or from your device while using the app or website. You are not permitted to manipulate any request sent to the app or website from your device or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. (For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope.) Further, you may not access data or use any access token from any Facebook account other than your own. Finally, only third-party apps with at least 50,000 active users are within scope.
If you are unsure whether a service is eligible for a bounty or not, feel free to ask us. Below are some specific examples of eligible and ineligible apps and websites to help guide your research.
Target| Eligible| Ineligible
Facebook| Websites: facebook.com, fb.com, fb.me, messenger.com, thefacebook.com, accountkit.com
Apps: Ads Manager, Facebook, Facebook Lite, Workplace by Facebook, Groups, Hello, Mentions, Messenger, Moments, Pages Manager, Paper (by Facebook), Work Chat
| Websites: events.fb.com, fbsbx.com, investor.fb.com, media.fb.com, newsroom.fb.com, research.fb.com, search.fb.com, work.fb.com, research.fb.com, madebykorea.fb.com
Apps: Facebook for Blackberry, Facebook for Windows
Instagram| Websites: instagram.com
Apps: Boomerang, Hyperlapse, Instagram, Layout
| Websites: blog.instagram.com
Internet.org| Websites: freebasics.com, internet.org
Apps: Free Basics
Oculus| Websites: oculus.com
Hardware: All first party hardware
Software: First party PC and mobile apps
| Websites: answers.oculus.com, forums.oculus.com, support.oculus.com
Onavo| Websites: onavo.com
Apps: Onavo Count, Onavo Extend, Onavo Protect
| Websites: Websites: blog.onavo.com
Open Source| Code repos:
WhatsApp| Websites: blog.whatsapp.com, translate.whatsapp.com, web.whatsapp.com, whatsapp.net, www.whatsapp.com
| Websites: alpha.whatsapp.com, media.whatsapp.com
Other Partnerships/Acquisitions| | Websites: daytum.com, drop.io, face.com, friendfeed.com, monoidics.com, opencompute.org, and spaceport.io
Spam or social engineering techniques.
Content injection. Posting content on Facebook is a core feature, and content injection (also "content spoofing" or "HTML injection") is ineligible unless you can clearly demonstrate a significant risk.
Security issues in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com), except in the specific circumstances described in “Bug Bounty Program Scope” (see above).
Executing scripts on sandboxed domains (such as fbrell.com or fbsbx.com). Using alert(document.domain) can help verify if the context is actually *.facebook.com.
Open redirects. Any redirect using our "linkshim" system is not an open redirect (learn more).
Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).
Note that public information also includes your username, ID, name, current cover photo, gender, and anything you’ve shared publicly (learn more).
Sending messages to anyone on Facebook (learn more).
Accessing photos via raw image URLs from our CDN (Content Delivery Network). One of our engineers has posted a more detailed explanation (external link).
Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems.
Missing attribution on page posts. We generally show page admins which admin created a post, but this is not a security control.