Meta paid out more than $2.3 million in bounties under its whitehat program, encouraging researchers who hunt for bugs within the firm’s platforms and report them to the company. Still, some cybersecurity pros say they aren’t happy.
Since the creation of the bug bounty program back in 2011, Meta has paid out over $20 million in bounties to people who regularly find vulnerabilities on the company’s platforms.
Meta indeed receives a staggering amount of reports. Last year alone, nearly 10,000 of them reached the company, although the firm deemed only around 600 of them valid enough to pay out awards.
In 2021, nearly 200 researchers from more than 45 countries were financially compensated. India, Nepal, and the United States were the three top countries based on bounties awarded.
Of course, the stats are similar every year. But 2024 seems to have been a bit different because a bit earlier, Meta had made its generative AI features available to security researchers through the bug bounty program.
In 2024, Meta provided more details to its research community on what’s in store for bug bounty reports related to its large language models and is now welcoming reports that demonstrate integral privacy or security issues associated with them.
“We have already received several impactful reports focused on our GenAI tools, and we look forward to continuing this important work with our community of researchers to help ensure the security and integrity of our GenAI tools,” said Meta.
This year, the company says it’s trying to steer security research towards “a number of product surfaces” such as ads audience tools and mixed reality hardware products.
Already in 2024, bug bounty researchers found potential issues in Meta Quest devices that could have impacted safety settings or led to memory corruption.
One recent reward stands out. In December, Meta awarded security researcher Ben Sadeghipour with $100,000 when he found a security vulnerability that allowed him to run commands on the internal Facebook server housing the social media giant’s ad platform.
I'm honestly still in disbelief... grateful to receive a $100k bounty from @meta. Feels surreal. Sharing this to show that with time and dedication, it's possible. This was my first and only submission to Facebook - something I've been chasing for a decade! 🙏 Big thank you to… pic.twitter.com/hH9fIDYtay
undefined Ben Sadeghipour (@NahamSec) December 30, 2024
It’s not all smooth sailing. Quite a few researchers have been complaining on Reddit that Meta wasn’t even reacting to their reports about allegedly critical bugs.
Sure, the backlog of this high-volume program is huge. Still, some say they’re still waiting for a response months after submitting the report
Publicity could help. When one Redditor detailed his “horrible experience” with Meta’s bug bounty program, the company took 10 hours to reply and pay him “a very generous bounty.”
In an email to Cybernews, Meta detailed the payout time bonus in the event it takes them more than 30 days to issue a bounty payout.
Your email address will not be published. Required fields are markedmarked