Meta Expands Bug-Bounty Program to Include Data Scraping

Scraping bugs and scraped databases are two new areas of research for the companys bug-bounty and data-bounty programs.

Meta, recently rebranded from Facebook, today announced the expansion of its bug-bounty and data-bounty programs to reward valid reports of so-called scraping bugs and scraped databases with monetary compensation and matched charity donations, respectively.
The move is meant to address the risk of attack activity designed to scrape public and private data, which poses a threat to all kinds of websites and services. Scrapers such as malicious apps, websites, and scripts are constantly being updated to evade detection; the idea here is to make the process harder and more expensive for attackers, explained Dan Gurfinkel, security engineering manager, in a
blog post
.
The programs will start as a private bounty track for Metas Gold+ HackerPlus researchers. The company will reward reports of scraping methods, even if the targeted data is public, he noted. Its goal is to find bugs that allow attackers to bypass scraping limitations and access data at a larger scale than a product intended.
Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute, he wrote. To the best of the companys knowledge, this is the industrys first data-scraping bug-bounty program.
Lack of proper rate limiting is currently included in the programs scope, Gurfinkel continued, but its terms dont allow hackers to automate data access and collection. Meta is encouraging research into logic bypass issues that could enable attackers to access information through untended mechanisms, even if proper rate limits are in place.
Starting Dec. 15, Metas bug-bounty program will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information (PII) or sensitive data, such as email addresses, phone numbers, physical addresses, or religious or political affiliations.
The reported dataset must be unique and not previously known or reported to Meta, Gurfinkel wrote. We aim to learn from this effort so we can expand the scope to smaller datasets over time.
If its confirmed that PII was scraped and is available on a website outside Meta, the company says it will work to take appropriate measures, such as working with the websites owner to remove the dataset or taking legal action to make sure the problem is addressed. If the data is exposed due to a misconfigured third-party application, for example, it will seek to work with the developer to mitigate the issue.
Payouts for Datasets and Flaws
Rewards for both the bug-bounty and data-bounty program will be based on maximum impact of each report, with a minimum reward of $500.
For the scraping vulnerabilities, Meta will pay out monetary rewards for valid reports, as it has historically done for bug-bounty program submissions. For scraped datasets, however, rewards look a little different.
Valid reports of scraped datasets will be rewarded with a charity donation to the nonprofit of the researchers choosing to ensure that we do not incentivize scraping activity, Gurfinkel wrote. Meta will match each bounty, so researchers can hunt datasets knowing theyll direct more money to causes that matter to them.
Todays news marks the latest expansion of Metas bugbounty program since it first launched in 2011. Since then, the program has received more than 150,000 reports, the company says; at least 7,800 were awarded a bounty. Beyond Facebook, the program covers Web and mobile clients across apps including Instagram, WhatsApp, Quest, and Workplace, among others.
Looking ahead,
the company plans
to ramp up efforts in educating the next generation of hackers with its inaugural BountyConEDU, a Madrid-based conference created for university students across Europe.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Meta Expands Bug-Bounty Program to Include Data Scraping