The minimum remuneration is $ 500.
Facebook has expanded the reward program for the vulnerabilities found. Now the social network will pay a reward for information about the cases of leakage of user access tokens through third-party services and applications. The minimum remuneration is $ 500.
Access Tokens allow Facebook users to authorize in other applications and are generated individually for each person, access request and application. Information leakage can lead to various attacks, for example, interception of the session and account control, data theft or “man in the middle” attack.
Previously, the Facebook reward program did not cover vulnerabilities in third-party services, but now the company has revised the approach, however, with a number of conditions. In particular, Facebook will consider vulnerability reports only if they were detected during the “passive viewing of data sent from and to the device when using an application or web site”. Researchers are not allowed to “manipulate requests sent to an application or site or in any other way interfere with the normal operation of the application or site” during the analysis.
In addition, only reports on vulnerabilities in applications with an audience exceeding 50,000 active users will be taken into account. Testing should be carried out exclusively in the researcher’s own account, and a PoC code must be provided in the report.
The updated program does not cover vulnerabilities such as SQLi, XSS, Open Redirect, and bugs that allow circumvention of permissions.
In the event that developers of vulnerable applications or webmasters refuse to fix the problem, the company will suspend these products on the platform until the vulnerability is eliminated.