(Last updated 15 October 2019)
Facebook recognizes the value external security researchers can bring to the security of Facebook systems, and we welcome and seek to reward eligible contributions from security researchers, as outlined below. If you believe you have found a security vulnerability on Facebook (or another member of the Facebook family of companies), we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines, and scope of the program.
If you are looking to report another type of issue, please use the links below for assistance.
If your account or a friend’s account is sending out suspicious links: https://www.facebook.com/help/hacked
To report abuse: https://www.facebook.com/help/reportlinks
For any other questions or concerns, please visit our Help Center: https://www.facebook.com/help
For program updates and news from our Bug Bounty team, please Like our Facebook page: https://www.facebook.com/bugbounty
For you to participate in the program, we require that:
You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
If you inadvertently access another person's data or Facebook company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Facebook company data and notify Facebook what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test. (This includes demonstrating additional risk, such as the risk that the security issue could be used to compromise sensitive company data or another user's account.)
You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.
We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA), to test the security of the products and systems identified as in-scope below. These terms do not provide you authorization to intentionally access company data or data from another person's account without their express consent, including (but not limited to) personally identifiable information or data relating to an identified or identifiable natural person.
If Facebook determines in its sole discretion that you have complied in all respects with these Bug Bounty Program Terms in reporting a security issue to Facebook, we will not initiate a complaint to law enforcement or pursue a civil action against you, to include civil actions under the CFAA in connection with the research underlying your report and DMCA claims against you for circumventing the technological measures we have used to protect the applications in scope. Facebook will also not pursue legal action for against you for clear accidental or good faith violations of its policy or these terms.
Your use of Facebook services and the services of any member of the Facebook family of companies, including for purposes of this program, remains subject to Facebook’s Terms and Policies and the terms and policies of any member of the Facebook family of companies whose services you use. To the extent activities authorized by these Bug Bounty Program Terms are inconsistent with other terms of service for in-scope Facebook companies and products, we waive those restrictions for the limited purpose of permitting security research under this policy.
If legal action is initiated by a third party against you for conduct that Facebook determines to have complied with these Bug Bounty Program Terms, Facebook will take steps to make it known, either to the public or the court, that your actions were authorized under this program.
We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact, and other factors. To be considered for a bounty, you must meet the following requirements:
Adhere to our Responsible Research and Disclosure Policy and Safe Harbor Provisions (see above).
Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Facebook ultimately determines the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.
Report a security bug involving one of the products or services that are within the scope of the program (see “Bug Bounty Program Scope” below). We specifically exclude certain types of potential security issues, listed under “Out of Scope” and “False Positives” (see below).
Submit your report via our “Report a Security Vulnerability” form (one issue per report) and respond to any follow-up requests from our staff for updates or further information. Please do not contact our staff directly or through other channels about a report.
Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account you are authorized to use (except for automated testing). Do not use or interact with any real account belonging to another person without explicit written consent of the account owner (e.g. do not test against Mark Zuckerberg’s account).
Before engaging in any action which may be inconsistent with or unaddressed by these terms of service, contact us for clarification by submitting a new submission with your question.
In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $500. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
We will generally pay lower reward amounts for in-scope vulnerabilities that are only exploitable through outdated versions of non-Facebook developed software (e.g., a web browser), but we will still consider such reports.
We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Facebook determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
You may donate a bounty to a recognized charity (subject to approval by Facebook). In fact, we double bounty amounts that are donated in this way.
We reserve the right to publish reports (and accompanying updates).
We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation on the list is then optional. We reserve the right to limit or modify the information accompanying your name in the list.
We verify that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
From time to time, Facebook may offer promotions in connection with the Bug Bounty Program. To be eligible for such a promotion, a report may need to comply with additional rules governing the promotion, which are or will be made available at the following location (and are incorporated into these terms through this reference): https://www.facebook.com/whitehat/promotion/.
We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
To be eligible for a bounty, you can report a security bug in Facebook or one of the following qualifying products or acquisitions in the Facebook family:
Internet.org / Free Basics
Open source projects by Facebook (e.g. osquery)
Note that third-party applications or websites not owned or controlled by Facebook (e.g., WordPress VIP and Page.ly) are not within the scope of the program, except as outlined below.
Vulnerabilities in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com) are within scope only where the following conditions are met:
The vulnerability is found in one of the following two ways:
through passively viewing data sent to or from your device while using the app or website. You are not permitted to manipulate any request sent to the app or website from your device or to otherwise interfere with the ordinary functioning of the app or website in connection with the research supporting your report. (For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope.)
other activity authorized by the third party responsible for the app or website , for example under the terms of the third party's own vulnerability disclosure or bug bounty program. Facebook's Bug Bounty Terms do not provide any authorization allowing you to test an app or website controlled by a third-party. Please only share details of a vulnerability if permitted to do so under the third party's applicable policy or program. Your report should include a link to the third party's vulnerability disclosure or bug bounty program, or to any authorization received from the third party for the activity underlying your report.
The vulnerability must have some potential impact on Facebook user data or systems (e.g. access token disclosure).
Whether we will pay any award in response to a report of a vulnerability affecting a third-party app or website (and if so, how much) is completely within our discretion. Factors that will influence our award decision include, but are not limited to, our ability to verify the vulnerability and ensure that it is remediated, the number of FB users potentially affected (we generally will only provide a bounty when over 200,000 FB users may be potentially affected), and the extent of the potential impact the vulnerability could have on Facebook user data or systems if left unfixed. Receiving an award through the relevant third party's bug bounty program does not disqualify you from receiving an award through the Facebook Bug Bounty program if submitted in compliance with these terms.
If you are unsure whether a service is within the scope of the program or not, feel free to ask us. Below are some specific examples of in-scope and out-of- scope apps and websites to help guide your research.
Target| Eligible| Ineligible
Facebook| Websites: facebook.com, fb.com, fb.me, messenger.com, thefacebook.com, accountkit.com
Apps: Ads Manager, Facebook, Facebook Lite, Workplace by Facebook, Groups, Hello, Mentions, Messenger, Moments, Pages Manager, Paper (by Facebook), Work Chat
| Websites: events.fb.com, fbsbx.com, investor.fb.com, media.fb.com, newsroom.fb.com, research.fb.com, search.fb.com, work.fb.com, research.fb.com, madebykorea.fb.com
Apps: Facebook for Blackberry, Facebook for Windows
Instagram| Websites: instagram.com
Apps: Boomerang, Hyperlapse, Instagram, Layout
| Websites: blog.instagram.com
Internet.org| Websites: freebasics.com, internet.org
Apps: Free Basics
Oculus| Websites: oculus.com
Hardware: All first party hardware
Software: First party PC and mobile apps
| Websites: answers.oculus.com, forums.oculus.com, support.oculus.com
Open Source| Code repos:
https://github.com/facebook/| Code repos:
WhatsApp| Websites: blog.whatsapp.com, translate.whatsapp.com, web.whatsapp.com, whatsapp.net, www.whatsapp.com
| Websites: alpha.whatsapp.com, media.whatsapp.com
Other Partnerships/Acquisitions| | Websites: daytum.com, drop.io, face.com,
friendfeed.com, monoidics.com, opencompute.org, and spaceport.io
Spam or social engineering techniques.
Content injection. Posting content on Facebook is a core feature, and content injection (also "content spoofing" or "HTML injection") is out of scope unless you can clearly demonstrate a significant risk.
Security issues in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com), except in the specific circumstances described in “Bug Bounty Program Scope” (see above).
Executing scripts on sandboxed domains (such as fbrell.com or fbsbx.com). Using alert(document.domain) in your payload can help verify if the context is actually *.facebook.com.
Open redirects. Any redirect using our "linkshim" system is not an open redirect (learn more).
Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).
Note that public information also includes your username, ID, name, current cover photo, gender, and anything you’ve shared publicly (learn more).
Sending messages to anyone on Facebook (learn more).
Accessing photos via raw image URLs from our CDN (Content Delivery Network). One of our engineers has posted a more detailed explanation (external link).
Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems.
Missing attribution on page posts. We generally show page admins which admin created a post, but this is not a security control.
This program crawled on the 2015-06-30 is sorted as bounty.