Facebook Announced Rewards for Vulnerabilities in Hermes and Spark AR

Facebook

On Friday, Facebook revealed it is providing substantial incentives for vulnerabilities found in Hermes and Spark AR through its bug bounty programme.

Hermes is a JavaScript engine which was released a year ago by Facebook as an open source. Hermes is used for Android and other applications by the social media giant’s React Native apps, including Spark AR, an augmented reality tool used to create effects on Facebook , Instagram, and even on Facebook’s Portal smart displays.

Its bug bounty program has covered vulnerabilities found in native Facebook code, but the company says it wants to encourage security researchers to analyze Hermes and Spark AR, which is why bug bounties have increased significantly.

For example, if a white hat hacker discovers a vulnerability or an exploit chain that allows remote execution of code while running a Spark AR effect, they will receive $25,000. The exploit can either directly target the Spark AR platform, or the Hermes JavaScript VM.

“May adjust the amount depending on the particular bug and exploit. For instance, an exploit chain that lacks an ASLR bypass will result in a slightly lower payout. Likewise, an out-of-bound writing where the route to RCE is not clear would receive a lower payout, “explained Facebook.

On average, a vulnerability that allows an attacker to read user data might be worth $15,000. Denial-of – service (DoS) flaws resulting from out-of-bound read or write bugs will yield between $500 and $3,000 to researchers.

They can also receive a bonus of up to $15,000 if they provide a complete proof-of – concept (PoC) exploit, meaning they might get $40,000 for a flaw in remote code execution.

Last year, Facebook paid out more than $2.2 million through its bug bounty program, and a total of almost $10 million since its program was launched in 2011.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.