If you believe you have found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our responsible disclosure policy, reward guidelines, and those things that should not be reported.
If you are looking to report another type of issue, please use the links below for assistance.
Responsible Disclosure Policy
If you give us reasonable time to respond to your report before making any information public, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Here is how it works:
To qualify for a bounty, you must:
- Adhere to our Responsible Disclosure Policy (above)
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication (including Facebook OAuth bugs)
- Circumvention of our Platform/Privacy permission models
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Report a bug in Facebook or one of the following qualifying acquisitions:
- Make every effort to use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
- Not interact with other accounts without the consent of their owners.
- Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
- Bounties are awarded at the discretion of the bug bounty team
- Our minimum reward is $500 USD
- There is no maximum reward: each bug is awarded a bounty based on its severity and creativity. See the Bug Bounty Facebook page for examples of real issues and the bounties we've paid.
- Only one bounty per security bug will be awarded
- We only pay individuals
- If you choose to donate to a recognized charity we will match your bounty so that the charity gets double the bounty amount!
Attributes of a Good Report
- Detailed steps in your message explaining how to reproduce the bug. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Images and video can be helpful if you also include written explanations.
- Clear descriptions of any accounts used in your report and the relationships between them. Please do not use the same name on multiple accounts to avoid confusion.
- Quality before quantity. Many of our highest-paid reports had just a few lines of precise, clear explanations.
- If you send a video, consider these tips:
- Keep it short by showing only the parts necessary to demonstrate the bug once. (Remove or redo mistakes that might happen while recording.)
- Record at a resolution where text or URLs are readable (at least 480p; 1080p is usually not necessary).
- Provide commentary or instructions in your messages or video description instead of typing on-screen during the video.
- Setting Facebook to English while recording steps helps us quickly identify what features you use.
- If a large amount of text appears in your video, please include a copy in your messages as well.
- Keep the video private either by uploading it as an attachment or posting it privately online (such as with a hidden link or password that you send to us).
Ineligible Reports and False Positives
- Open redirects. Any redirect using our "linkshim" system is not an open redirect. (Learn more)
- Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).
- Note that public information also includes your username, ID, name, current cover photo, gender, and anything you've shared publicly. (Learn more)
- Spam or social engineering techniques.
- Denial-of-service attacks.
- Content injection. Posting content on Facebook is a core feature, and content injection (also "content spoofing" or "HTML injection") is ineligible unless you can clearly demonstrate a significant risk.
- Sending messages to anyone on Facebook. (Learn more)
- Security issues in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com). These are not managed by Facebook and do not qualify under our guidelines for security testing.
- Accessing photos via raw image URLs from our CDN (Content Delivery Network). One of our engineers explained has more details here (external link).
- Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems.
- Executing scripts on sandboxed domains (such as fbrell.com or fbsbx.com). Using alert(document.domain) can help verify if the context is actually *.facebook.com.