On Friday, Facebook revealed it is providing substantial incentives for vulnerabilities found in Hermes and Spark AR through its bug bounty programme.
Its bug bounty program has covered vulnerabilities found in native Facebook code, but the company says it wants to encourage security researchers to analyze Hermes and Spark AR, which is why bug bounties have increased significantly.
“May adjust the amount depending on the particular bug and exploit. For instance, an exploit chain that lacks an ASLR bypass will result in a slightly lower payout. Likewise, an out-of-bound writing where the route to RCE is not clear would receive a lower payout, “explained Facebook.
On average, a vulnerability that allows an attacker to read user data might be worth $15,000. Denial-of – service (DoS) flaws resulting from out-of-bound read or write bugs will yield between $500 and $3,000 to researchers.
They can also receive a bonus of up to $15,000 if they provide a complete proof-of – concept (PoC) exploit, meaning they might get $40,000 for a flaw in remote code execution.
Last year, Facebook paid out more than $2.2 million through its bug bounty program, and a total of almost $10 million since its program was launched in 2011.