How to report bug in facebook and earn money ($500 - $80k)
Bug is mostly understood as a small insect that is usually harmful or annoy you. In the same way, The term Bug refers to a specific malfunctioned system in a software or a program or a device/machine which creates annoyings and malfunctioning of the various works.
Today, Facebook Bugs are not only the things to research about but they are being the source of living for many people all over the world.
But, Many people are still unknown about the BUG Bounty program and are still have no idea on How to get Started.
For them This post will exactly guide you on how to get started with the Bug Bounty program of facebook and how can you fill the bug program and also the common and practical format of reporting a bug for a better chance to get accepted.
Eligibility of Bug Bounty Program
You can report a security bug in Facebook or one of the Facebook's product. Security Bugs haunted from facebook App, Instagram App / WEB Version, oculus, whatsapp, FBLite are under the scope of bug bounty program.
|Image credit - Facebook|
What types of Bug are not under Bounty Program?
- Bug found by the techniques such as spam or social engineering.
- Injection of content : Content injection (also known as "content spoofing" or "HTML injection") is not covered unless you can convincingly show a security danger.
- Third party websites or apps
- Crash reports from mobile apps that cannot be reproduced on current OS versions or mobile devices launched within the past two calendar years.
Before getting started, you should keep in mind that, only those bugs or security flaws which hampers on people privacy or companies privacy or usability of facebook are accepted under the Bug Bounty Program. Read about the policy and scope about the facebook bug bounty here.
Once, you are confident over the Bug, You need to visit facebook whitehat program. After reaching that page, you have to click on 'report vulnerability form'. Then, the process follows something like this.
You can follow these steps to report bug in facebook from your mobile or desktop.
- First, be sure that what you found is a bug and risks privacy of users
- Then, go to facebook.com/whitehat from your browser
- You may require a PC to work effectively but "Desktop Version" on mobile browsers also work fine,
- Then, Click on "Report Vulnerability Form"
- Now, submit your bug there.
Example of Bug Bounty WriteUp
Here, we have assumed a issue over which the tutorial is going to be.
Facebook Bug Submission Sample:
TitleFacebook unlimited name verification without any documents
Product AreaFacebook - Android
"Everyone is required to use their authentic name on facebook"
This is what Facebook says when someone tries to put invalid name on facebook.
But Recently, I found a loophole on facebook function which is seen in all versions of facebook- web, android, lite etc which allows people to change their name to the name of reknown personality or public figure with no time bound or limit of 60 days.
It will seriously impact the facebook usability as people are faking their names and hiding their identity with this error.
Let me explain what really the problem is:
Suppose, My name is "Alex Wilson" on facebook now, and changed it to "Sam Wilson". Now, I am unable to change my name on facebook before 60 days, right ? but no, I don't need to wait because, I can change it unlimited times before 60 days and facebook allows it itself.
There is a feature on facebook to verify your name before 60 days by submitting any valid or legal document in which our valid name is written and filling the form in this link:
and If everything is ok, then we will be able to confirm our name despite 60 days limit.
But due to AI technology or something else, facebook is accepting any kind of document.
If I want to change my name from "Sam Wilson" to "Adam Wilson" Again, and for that, I don't really need any citizenship or passport or valid document, All I have to do is to put my nickname "Adam Wilson" and make it visible on the "top of the profile" and take a screenshot of it, then I have to fill up the form in the link mentioned above and then in attachments, s/he has to attach the same screenshot.
This can be a serious issue on facebook.
[What is the security or privacy risk to Facebook or its users?]
Firstly, it goes against the policy and rules/regulation of Facebook. Similarly, Facebook brought this feature to help people confirm their identity whose names are not accepted on Facebook by Bot or AI authentication. But, By using this loophole/ error , anyone can change their name to anyone's else name (Including Great Personalities) for UNLIMITED times on facebook.
For example, Attacker can misuse the name of public figures. By default, a person is not allowed to put the name of public figures like "Justin Bieber" (Just take a example here). But, since Facebook is verifying the name on the basis of screenshot of profile, anyone can use the name "Justin Bieber" and hence, misuse of the names, fake identities etc will increase on Facebook.
People won't feel safe and It can hamper on facebook authenticity and reliability.
And not only this, Facebook will verify the people with criminal intention having fake identity verification.
Users: [UserA is an attacker and UserB is a public figure or reknown personality]
Environment: [Facebook Web]
App version: [applicable on all versions of facebook]
OS: [Android and windows]
Description: [First, I put my name "Alex Wilson" then,
I (attacker) went to settings>General>personal information and changed my name to " Albert Wilson".
Later on changed my mind and wanted to change my name to something else that does not resemble my original name- Like "Justin Bieber (victim)"
For that, I went to change name option. Then, clicked on "Learn More" and filled the name change appeal and filled the name. and I successfully changed my name as well...
Steps are precisely given below along with the screenshots to help you better figure it out.
1. Attacker Goes to settings.
2. He could see-
"You can't change your name on Facebook right now because you've changed it in the last 60 days. You can still change the order. Learn more."
3. First, He go to " Add a nickname" option and Add the same name he want to have, in nickname and clicked "save"
4.He made sure to tick ✅ "Show in the top of profile"
5. He Go to his profile and take a screenshot of his profile.
6. Then he goes to, Settings>General Information>Personal Information>Name
7. Then he clicks on "Learn more" > "fill out this form to request a name change and confirm your name." >
8. Then, he fills the victims name there, and then, In attachments, though he was supposed to send governments IDs, he sends the same screenshot, that he has taken of his profile.
9. Within 3,4 hours, his name is verified by Facebook. and changes to anything that he has filled> Like other peoples name, great celebrities name and Facebook grants it.
10.***NOTE*** Sometimes, Facebook rejects the name in support inbox and asks for a photo that verifies his name again.
11. And, In support inbox, Sending "That same screenshot" verifies any kind of name for sure.
Hoping Facebook technical team will ponder the seriousness of this problem and this will be fixed soon.