Looking back at our Bug Bounty program in 2024

• In 2024, our bug bounty program awarded more than $2.3 million in bounties, bringing our total bounties since the creation of our program in 2011 to over $20 million. 
• As part of our defense-in-depth strategy, we continued to collaborate with the security research community in the areas of GenAI, AR/VR, ads tools, and more. 
• We also celebrated the security research done by our bug bounty community as part of our annual bug bounty summit and many other industry events. 

As we embark on a new year, we’re sharing several updates on our work with external bug bounty security researchers to help protect our global community and platforms. This includes new payout stats, details on what’s in scope for GenAI-related bug reports, and a recap of some of our engagements throughout last year with bug bounty researchers. 

Highlights from Meta’s bug bounty program in 2024

In 2024, we received nearly 10,000 bug reports and paid out more than $2.3 million in bounty awards to researchers around the world who helped make our platforms safer.

• Since 2011, we have paid out more than $20 million in bug bounties. 
• Last year, we received nearly 10,000 reports and paid out awards on nearly 600 valid reports.
• In 2024, we awarded more than $2.3 million to nearly 200 researchers from more than 45 countries. 
• The top three countries based on bounties awarded last year are India, Nepal, and the United States.

Engaging researchers in bug hunting in GenAI 

After making our generative AI features available to security researchers through our long-running bug bounty program in 2023, Meta has continued to roll out new GenAI products and tools. In 2024, we provided more details to our research community on what’s in scope for bug bounty reports related to our large language models (LLMs). We now welcome reports that demonstrate integral privacy or security issues associated with Meta’s LLMs, including being able to extract training data through tactics like model inversion or extraction attacks. 

We have already received several impactful reports focused on our GenAI tools, and we look forward to continuing this important work with our community of researchers to help ensure the security and integrity of our GenAI tools.

Encouraging security research in ads audience and hardware products 

This year, we prioritized our efforts to steer security research by the bug bounty community towards a number of product surfaces, including:

Ads audience tools designed to help people choose a target audience for their ads: We introduced new payout guidelines to provide transparency to our security researchers on how we assess the impact of the report we receive for potential security bugs in Meta’s ads audience tools. We cap the maximum base payout for discovering PII (name, email, phone number, state, ZIP, gender) for an ads audience at $30,000 and then apply any applicable deduction based on the required user interaction, prerequisites, and any other mitigation factors to arrive at the final awarded bounty amount. More details here.

Mixed reality hardware products: As Meta continues to roll out mixed reality products, we work to encourage security research into these hardware and AI-driven technologies to help us find and fix potential bugs as quickly as possible. In 2024, our bug bounty researchers contributed reports on potential issues in Quest that could have impacted safety settings or lead to memory corruption. We also brought our Quest 3 and Ray-Ban Meta glasses to hardwear.io USA 2024, a leading conference that brings together top hardware hackers to test new hardware products and help uncover potential vulnerabilities. 

Building and celebrating the global bug bounty community

As part of our continuous commitment to security research – both inside and outside Meta – we  invested in enabling open collaboration with our bug bounty community by:

Organizing community events and presenting joint research: We hosted our annual Meta Bug Bounty Researcher Conference (MBBRC) in Johannesburg, South Africa, bringing together 60 of our top researchers from all over the world. We received more than 100 bug reports and awarded over $320,000 in total.  We also co-presented talks at EkoParty, DEF CON, Hardwear.io, Pwn2own, and other security research summits. This year, we’re pleased to share that 2025 MBBRC will be hosted in Tokyo, Japan May 12-15. Stay tuned for more details in 2025.

Celebrating long-time researchers: One of our most long-standing and prolific researchers, Philippe Harewood, reached a 10-year milestone with over 500 valid reports paid out by our bug bounty program. Noteworthy contributions over the years include Philippe’s groundbreaking research on Instagram access token leak, video capture limit bypass on Ray-Ban stories, and more. 

Providing resources and timely updates for the research community: The Meta Bug Bounty website serves as a centralized hub for all bug bounty news and updates. Researchers can also follow the program on Instagram, Facebook, and X, for quick updates.

Looking ahead

Meta’s bug bounty team looks forward to introducing new initiatives and continuing to engage with our existing community and new researchers who are just getting started. Additionally, we will continue to provide seasoned experts with unique opportunities to test unreleased features through our private bug bounty tracks.

For the past 14 years, our bug bounty program has fostered a collaborative relationship with external researchers that has helped keep our platforms safer and more secure. We would like to extend a heartfelt thanks to everyone who contributed to the growth of our program in 2024.

The post Looking back at our Bug Bounty program in 2024 appeared first on Engineering at Meta.