Facebook Announces Payout Guidelines for Bug Bounty Program


The payout guidelines provide insight into the process used by the company to determine rewards for certain vulnerability categories. Specifically, it provides information on the maximum bounty for each category and describes the mitigating factors that can result in a lower reward.

Payment guidelines are currently available for page admin vulnerabilities, for which the top bounty is $5,000, server-side request forgery (SSRF), with a maximum reward of $40,000, and bugs in mobile apps, for which the bounty is capped at $45,000.

For example, payouts are lowered depending on whether and how much user interaction is required for exploitation. There are several mitigating factors in each category.