In 2024, Meta continued its commitment to improving security across its platforms by paying out more than $2.3 million in bug bounties to researchers who identified vulnerabilities in its products. The tech giant received nearly 10,000 vulnerability reports last year, with about 600 qualifying for payout. Nearly 200 researchers benefitted from the rewards.
Meta’s bug bounty program, in operation since 2011, has become a critical part of its security strategy. The company has now paid out over $20 million to researchers, covering its wide range of platforms such as Facebook, Instagram, Messenger, WhatsApp, Meta Quest, and Meta AI. In addition, open-source code contributions are also included in the program.
Bounties vary depending on the severity of the reported vulnerability. Researchers can earn as much as $300,000 for high-impact issues such as mobile code execution flaws, with other significant rewards available for account takeover vulnerabilities, server-side request forgery (SSRF) bugs, and hardware-related issues. Meta has also started rewarding researchers for identifying flaws in its generative AI and mixed-reality products, reflecting the company’s evolving technological focus.
Meta’s bug bounty program has become a key part of the company’s cybersecurity efforts, and in preparation for its annual Meta Bug Bounty Researcher Conference (MBBRC) in May in Tokyo, it is celebrating the contributions of long-time researcher Philippe Harewood, who has earned over 500 bug bounties for his submissions in the past decade.
With a growing focus on security, Meta is reinforcing its partnership with external researchers, acknowledging that their collective efforts are crucial in ensuring the safety and resilience of its platforms.
