Meta
Social media conglomerate operating Facebook, Instagram, WhatsApp, and Messenger, connecting billions of users worldwide.
https://meta.comMax Reward
$300,000
Total Paid
$16,300,000
Resolved
1087
Avg Response
2 days
In-Scope Assets
facebook.com
Facebook web app, Graph API, and authentication
instagram.com
Instagram web and API endpoints
WhatsApp Web, Desktop, and API
Meta Business Suite
Ads Manager, Business APIs, and Commerce tools
Out of Scope
- ✕ Oculus/Quest VR hardware
- ✕ Third-party apps using Facebook Login
- ✕ Spam/abuse reports
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (3)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| META-001 | Account takeover via Facebook OAuth race condition | Critical | Resolved | $30,000–$100,000 | 5 |
| META-002 | Instagram API IDOR leaking private profile data | High | Open | $10,000–$25,000 | 1 |
| META-003 | Stored XSS in WhatsApp Web link preview renderer | High | Open | $10,000–$30,000 | 0 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.