{"id":12251,"date":"2022-12-15T17:07:51","date_gmt":"2022-12-15T17:07:51","guid":{"rendered":"http:\/\/scannn.com\/looking-back-at-our-bug-bounty-program-in-2022\/"},"modified":"2022-12-15T17:07:51","modified_gmt":"2022-12-15T17:07:51","slug":"looking-back-at-our-bug-bounty-program-in-2022","status":"publish","type":"post","link":"https:\/\/scannn.com\/lv\/looking-back-at-our-bug-bounty-program-in-2022\/","title":{"rendered":"Looking Back at Our Bug Bounty Program in 2022"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>As we close out this year, we\u2019re sharing a number of <a href=\"https:\/\/about.fb.com\/news\/2022\/12\/protecting-people-from-online-threats-in-2022\/\">updates<\/a> on our work to protect people around the world against various threats. As part of this, we\u2019re sharing some updates from our bug bounty program over the past year, a look at how we are working with external researchers to help secure our virtual reality (VR) and mixed reality metaverse technology, and new payout guidelines with bounty amounts as high as $300,000.<\/p>\n<p>We received hundreds of impactful bug reports in 2022 from researchers all over the world that have helped to make our community more secure, and we paid out more than $2 million in bounty awards.<\/p>\n<p><b>Here are some highlights from our bug bounty program:<\/b><\/p>\n<ul>\n<li>Since 2011, we have paid out more than $16 million in bug bounties.<\/li>\n<li>Since 2011, we have received more than 170,000 reports, of which more than 8,500 were awarded a bounty.<\/li>\n<li>So far in 2022, we have awarded more than $2 million to researchers from more than 45 countries.<\/li>\n<li>This year, we received around 10,000 reports in total, and issued bounties on more than 750 reports.<\/li>\n<li>The top three countries based on bounties awarded this year are India, Nepal and Tunisia.<\/li>\n<\/ul>\n<h2>Connecting the Bug Bounty Community With the Metaverse<\/h2>\n<p>This year, we prioritized further integrating our bug bounty program into our journey to the metaverse by:<\/p>\n<p><strong>Highlighting the Scope of Our Program: <\/strong>Today, we\u2019re updating our terms to highlight that our latest products, Meta Quest Pro and the Meta Quest Touch Pro controllers, are eligible for the bug bounty program.<\/p>\n<p><b>Updating Payout Guidelines: <\/b>We\u2019re adding new <a href=\"https:\/\/www.facebook.com\/whitehat\/payout_guidelines\/hardware\">payout guidelines<\/a> for <a href=\"https:\/\/tech.fb.com\/ar-vr\/2021\/12\/announcing-bug-bounty-updates-for-reality-labs\/\">VR technology<\/a>, including bugs specific to Meta Quest Pro. We\u2019re among the first bug bounty programs to set payout guidelines for VR and mixed reality devices and we will continue to update and adjust as the industry evolves.<\/p>\n<p><b>Putting Our Technology in the Hands of Researchers: <\/b>Because the bug bounty space is relatively new for many, we worked this year to make our hardware technology more accessible to the researcher community so they can find and report bugs. For example, we made our VR technology a focus for our annual BountyCon conference, the industry\u2019s only regular conference for bug hunters. One of our highest-rated sessions at this year\u2019s conference was a presentation on how to hunt for bugs across our VR headsets and smart glasses. Following this session, we invited researchers to explore Meta Quest 2 devices and use them during our live hacking event.<\/p>\n<p>One of the bugs we rewarded as part of the conference was submitted by our long-time researcher Youssef Sammouda, who reported an issue in Meta Quest\u2019s oAuth flow that could have led to a 2-click account takeover. We\u2019ve fixed this issue, our investigation has found no evidence of abuse and rewarded this report a total of $44,250, including program bonuses.<\/p>\n<h2><b>New Payout Guidelines<\/b><\/h2>\n<p>To encourage research into specific areas, we\u2019re releasing updated <a href=\"https:\/\/www.facebook.com\/whitehat\/payout_guidelines\">payout guidelines<\/a> for mobile remote code execution (RCE) bugs, in addition to brand new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.<\/p>\n<p>These new\u00a0guidelines range as high as $130,000 for ATO reports and $300,000 for mobile RCE bugs, making our Bug Bounty program one of the highest paying in the industry.<\/p>\n<p>These guidelines are intended to set an average maximum payout for a particular bug category and describe what mitigating factors we consider in determining the bounty to help researchers prioritize their hunting. Ultimately, each report is evaluated on a case-by-case basis and could, in some cases, be awarded higher than the cap depending on the internally assessed impact.<\/p>\n<h2><b>Bug Highlights<\/b><\/h2>\n<p>The following are some examples of impactful bugs that we awarded under our new guidelines:<\/p>\n<p><b>Account Takeover and Two-Factor Authentication Bypass Chain: <\/b>We received a report from Yaala Abdellah, who identified a bug in Facebook\u2019s phone number-based account recovery flow that could have allowed an attacker to reset passwords and take over an account if it wasn\u2019t protected by 2FA. We\u2019ve fixed this bug and found no evidence of abuse. We rewarded the researcher our highest bounty at $163,000, which reflects its maximum potential impact and program bonuses. While we were investigating, the researcher was able to build on an earlier find to chain it to a separate 2FA bypass bug. We\u2019ve fixed this issue and rewarded the researcher an additional a bounty of $24,700, including program bonuses.<\/p>\n<p><b>2FA Bypass: <\/b>We also fixed a bug reported by Gtm M\u00e4n\u00f4z of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone\u2019s phone number. We awarded a $27,200 bounty for this report.<\/p>\n<p>Thank you to the bug bounty community for a great year \u2014 we are excited to work together again in 2023.<\/p>\n<\/p><\/div>\n<p><script async defer crossorigin=\"anonymous\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js#xfbml=1&#038;version=v5.0\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/about.fb.com\/news\/2022\/12\/metas-bug-bounty-program-2022\/\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As we close out this year, we\u2019re sharing a number of updates on our work to protect people around the world against various threats. As part of this, we\u2019re sharing some updates from our bug bounty program over the past year, a look at how we are working with external researchers to help secure our [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":12252,"comment_status":"","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[123],"tags":[],"class_list":["post-12251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-facebook"],"_links":{"self":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts\/12251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/comments?post=12251"}],"version-history":[{"count":0,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/posts\/12251\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/media\/12252"}],"wp:attachment":[{"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/media?parent=12251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/categories?post=12251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scannn.com\/lv\/wp-json\/wp\/v2\/tags?post=12251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}