How to Earn $500 - $80,000 by reporting bug in Facebook? - Meta Bug Bounty Explained

How to report bug in facebook and earn $500 - $80k  (Step-by-Step)


Do you know that reporting bugs in Meta products like Facebook, Instagram, Whatsapp, Threads can be lucrative source of handsome amount of money? If not, stick with me in this today's article, I will teach you to report facebook bug and earn money online. 

If you are wondering, "How to report bug in facebook and earn money ($500 - $80k)" then, this article will make you able to report a bug on facebook or vulnerabilities or any security flaw and get rewarded to make money online. 

First of all, Give me some seconds to explain what is Bug?

Bug is mostly understood as a small insect that is usually harmful or annoy you. In the same way, The term Bug refers to a specific malfunctioned system in a software or a program or a device/machine which creates annoyings and malfunctioning of the various works. 

Today, Facebook Bugs are not only the things to research about but they are being the source of living for many people all over the world. 

But, Many people are still unknown about the BUG Bounty program and are still have no idea on How to get Started. 

For them This post will exactly guide you on how to get started with the Bug Bounty program of facebook and how can you fill the bug program and also the common and practical format of reporting a bug for a better chance to get accepted. 


Eligibility of Bug Bounty Program

You can report a security bug in Facebook or one of the Facebook's product. Security Bugs haunted from facebook App, Instagram App / WEB Version, oculus, whatsapp, FBLite are under the scope of bug bounty program. 


How to report bug in facebook and earn $500 - $80k  (Step-by-Step)
Image credit - Facebook

What types of Bug are not under Bounty Program?

You need to acknowledge that your bug is eligible under facebook BUG Bounty Policies in order to get paid. The following are the cases in which your bug is not rewarded.

  • Bug found by the techniques such as spam or social engineering.
  • Injection of content : Content injection (also known as "content spoofing" or "HTML injection") is not covered unless you can convincingly show a security danger.
  • Third party websites or apps
  • Crash reports from mobile apps that cannot be reproduced on current OS versions or mobile devices launched within the past two calendar years.

Before getting started, you should keep in mind that, only those bugs or security flaws which hampers on people privacy or companies privacy or usability of facebook are accepted under the Bug Bounty Program. Read about the policy and scope about the facebook bug bounty here.


Once, you are confident over the Bug, You need to visit facebook whitehat program. After reaching that page, you have to click on 'report vulnerability form'. Then, the process follows something like this.


You can follow these steps to report bug in facebook from your mobile or desktop.

  1. First, be sure that what you found is a bug and risks privacy of users 
  2. Then, go to facebook.com/whitehat from your browser 
  3. You may require a PC to work effectively but "Desktop Version" on mobile browsers also work fine,
  4. Then, Click on "Report Vulnerability Form"
  5. Now, submit your bug there.

Before seeing a report example, let us clear some thoughts, confusions, questions that you might have regarding meta bug bounty. 

Some Thoughts on Meta Bug Bounty Program

What is the Meta Bug Bounty Program?

The Meta Bug Bounty Program, run by Meta (formerly known as Facebook), rewards individuals who identify and report security vulnerabilities in their platforms.

How much can I earn by reporting a bug?

Depending on the severity and impact of the bug you report, rewards range from $500 to $80,000.

Who is eligible to participate?

Anyone with a Facebook account is welcome to participate. There are no specific requirements or restrictions.

What types of bugs qualify for the bounty?

Security vulnerabilities that affect user data privacy, account security, and system integrity are eligible. Common examples include cross-site scripting (XSS), SQL injection, and remote code execution.

How do I report a bug to Meta?

Use the Meta Bug Bounty submission form to report bugs. Include a detailed description, steps to reproduce the issue, and any supporting materials such as screenshots or code snippets.

How does Meta determine the reward amount?

Meta assesses the severity, impact, and exploitability of the bug. The more critical and potentially damaging the bug, the higher the reward.

Will my identity be protected?

Yes, Meta ensures your personal information remains confidential unless you consent to its disclosure.

How long does it take to receive a reward?

The timeline varies. After you submit a report, Meta’s security team reviews and validates the bug. If approved, you'll receive your reward once the bug is fixed or mitigated, which can take several weeks.

Can I report a bug if I work for Meta?

No, Meta employees and their family members are not eligible for the Bug Bounty program.

What should I do if my bug report is rejected?

Review the feedback from Meta. If you have additional information or discover more details, you can resubmit your report.

Can I share my findings publicly?

Do not disclose the vulnerability publicly until Meta has resolved it. Premature disclosure can disqualify you from receiving a reward and might harm users.

Are there any legal implications in participating?

As long as you follow Meta’s rules and guidelines, participating is legal. Avoid testing on accounts or systems you do not own or have explicit permission to test.

Where can I find more information about the program?

Visit the Meta Bug Bounty Program page for more details and to review their rules and guidelines.

Can I participate if I find a bug on Instagram or WhatsApp?

Yes, Meta's Bug Bounty program includes all their platforms, including Instagram and WhatsApp.

Related Articles:

  1. Ways to Earn money Online without Investment
  2. Grow Business online via Facebook
  3. Grow business on Instagram


Meta/ Facebook Bug Bounty Writeup Example ! 

Here, we have assumed a issue over which the tutorial is going to be. 


Facebook Bug Submission Sample: 

Title

Facebook unlimited name verification without any documents

Vuln Type

Other

Product Area

Facebook - Android

Description/Impact

Complete Details

"Everyone is required to use their authentic name on facebook"
This is what Facebook says when someone tries to put invalid name on facebook.

But Recently, I found a loophole on facebook function which is seen in all versions of facebook- web, android, lite etc which allows people to change their name to the name of reknown personality or public figure with no time bound or limit of 60 days.

It will seriously impact the facebook usability as people are faking their names and hiding their identity with this error.

Let me explain what really the problem is:

Suppose, My name is "Alex Wilson" on facebook now, and changed it to "Sam Wilson". Now, I am unable to change my name on facebook before 60 days, right ? but no, I don't need to wait because, I can change it unlimited times before 60 days and facebook allows it itself.

There is a feature on facebook to verify your name before 60 days by submitting any valid or legal document in which our valid name is written and filling the form in this link:
https://www.facebook.com/help/contact/1417759018475333

and If everything is ok, then we will be able to confirm our name despite 60 days limit.

But due to AI technology or something else, facebook is accepting any kind of document.

If I want to change my name from "Sam Wilson" to "Adam Wilson" Again, and for that, I don't really need any citizenship or passport or valid document, All I have to do is to put my nickname "Adam Wilson" and make it visible on the "top of the profile" and take a screenshot of it, then I have to fill up the form in the link mentioned above and then in attachments, s/he has to attach the same screenshot. 

[Photo]
Sam Wilson (Adam Wilson)

Then, within 2, 3 hours facebook will update the name to "Adam Wilson" though there wasn't any legal document or paper but just a screenshot with my "nickname" written like this- in the name of attachment.


This can be a serious issue on facebook.

Impact
[What is the security or privacy risk to Facebook or its users?]
===

Firstly, it goes against the policy and rules/regulation of Facebook. Similarly, Facebook brought this feature to help people confirm their identity whose names are not accepted on Facebook by Bot or AI authentication. But, By using this loophole/ error , anyone can change their name to anyone's else name (Including Great Personalities) for UNLIMITED times on facebook.

For example, Attacker can misuse the name of public figures. By default, a person is not allowed to put the name of public figures like "Justin Bieber" (Just take a example here). But, since Facebook is verifying the name on the basis of screenshot of profile, anyone can use the name "Justin Bieber" and hence, misuse of the names, fake identities etc will increase on Facebook.

In nutshell,
People won't feel safe and It can hamper on facebook authenticity and reliability.

And not only this, Facebook will verify the people with criminal intention having fake identity verification.


Repro Steps

Setup
===
Users: [UserA is an attacker and UserB is a public figure or reknown personality]

Environment: [Facebook Web]

Browser: [n/a]

App version: [applicable on all versions of facebook]

OS: [Android and windows]

Description: [First, I put my name "Alex Wilson" then,

I (attacker) went to settings>General>personal information and changed my name to " Albert Wilson".

Later on changed my mind and wanted to change my name to something else that does not resemble my original name- Like "Justin Bieber (victim)"

For that, I went to change name option. Then, clicked on "Learn More" and filled the name change appeal and filled the name. and I successfully changed my name as well...

Steps are precisely given below along with the screenshots to help you better figure it out.

Steps
1. Attacker Goes to settings.
2. He could see-
"You can't change your name on Facebook right now because you've changed it in the last 60 days. You can still change the order. Learn more."
3. First, He go to " Add a nickname" option and Add the same name he want to have, in nickname and clicked "save"
4.He made sure to tick ✅ "Show in the top of profile"
5. He Go to his profile and take a screenshot of his profile.
6. Then he goes to, Settings>General Information>Personal Information>Name
7. Then he clicks on "Learn more" > "fill out this form to request a name change and confirm your name." >
8. Then, he fills the victims name there, and then, In attachments, though he was supposed to send governments IDs, he sends the same screenshot, that he has taken of his profile.
9. Within 3,4 hours, his name is verified by Facebook. and changes to anything that he has filled> Like other peoples name, great celebrities name and Facebook grants it.
10.***NOTE*** Sometimes, Facebook rejects the name in support inbox and asks for a photo that verifies his name again.
11. And, In support inbox, Sending "That same screenshot" verifies any kind of name for sure.

Hoping Facebook technical team will ponder the seriousness of this problem and this will be fixed soon.

Note: It is not a Bug, rather it is a social engineering attack. This was given so that you could know the way to report the Bug Bounty Form correctly.

Conclusion 
In this way, you can write a good Bug Report, the real person from facebook security team reviews your report first and If everything is ok, and they found some really serious findings on your Bug,  You are accepted for Bug Bounty Program and they evaluate your Bug and reward you money starting from $500 to $10,000.