Meta Paid Out $2.3 Million to Researchers via Bug Bounty Program

In 2024, Meta, the parent company of Facebook, Instagram, and WhatsApp, continued its commitment to cybersecurity by awarding over $2.3 million through its bug bounty program. This initiative, which began in 2011, has now surpassed $20 million in total payouts, underscoring Meta’s dedication to collaborating with the global security research community to enhance platform safety […] The post Meta Paid Out $2.3 Million to Researchers via Bug Bounty Program appeared first on Cyber Security News.

Feb 17, 2025 - 08:57

Meta Paid Out $2.3 Million to Researchers via Bug Bounty Program

In 2024, Meta, the parent company of Facebook, Instagram, and WhatsApp, continued its commitment to cybersecurity by awarding over $2.3 million through its bug bounty program.

This initiative, which began in 2011, has now surpassed $20 million in total payouts, underscoring Meta’s dedication to collaborating with the global security research community to enhance platform safety and integrity.

Meta received nearly 10,000 vulnerability reports in 2024, with around 600 deemed valid for bounty payouts.

These awards were distributed among nearly 200 researchers from over 45 countries. Notably, India, Nepal, and the United States topped the list of countries with the highest number of rewarded researchers.

The program incentivizes ethical hackers to identify and report security vulnerabilities across Meta’s platforms and products, including Facebook, Messenger, Instagram, WhatsApp, and hardware like Meta Quest and Ray-Ban Stories.

Focus on Generative AI Security

In 2024, Meta expanded its bug bounty scope to include generative AI (GenAI) features. Researchers were invited to identify privacy or security issues within Meta’s large language models (LLMs), such as vulnerabilities enabling model inversion or data extraction attacks.

Several impactful reports were submitted on GenAI tools, reflecting the growing importance of securing AI-driven technologies.

Meta also prioritized security research on its ads audience tools and mixed reality hardware.

For ads tools used for audience targeting, new payout guidelines were introduced with a maximum base payout of $30,000 for vulnerabilities exposing personally identifiable information (PII).

Adjustments to payouts were made based on factors like user interaction and mitigation measures.

In mixed reality hardware, researchers identified potential issues in devices like Meta Quest that could affect safety settings or lead to memory corruption.

To encourage further research in this domain, Meta showcased products like Quest 3 and Ray-Ban Meta glasses at leading hardware security conferences such as Hardwear.io USA 2024.

Meta’s annual Bug Bounty Researcher Conference (MBBRC) was held in Johannesburg, South Africa, bringing together top researchers from around the world.

The event resulted in over 100 bug reports and $320,000 in payouts. Looking ahead to 2025, the conference will be hosted in Tokyo.

The program also celebrated long-standing contributors like Philippe Harewood, who reached a milestone of over 500 valid reports during his decade-long association with Meta’s bug bounty initiative.

His contributions included identifying critical vulnerabilities like Instagram access token leaks and bypasses on Ray-Ban Stories devices.

As Meta enters its 14th year of running the bug bounty program, it aims to introduce new initiatives while continuing collaborations with both seasoned experts and emerging researchers.

Meta’s bug bounty program exemplifies how fostering collaboration with ethical hackers can significantly improve platform security while building a global community dedicated to cybersecurity innovation.

PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar

The post Meta Paid Out $2.3 Million to Researchers via Bug Bounty Program appeared first on Cyber Security News.