clock menu more-arrow no yes mobile

Filed under:

Meta adds Quest 2, Portal, and Ray-Ban Stories updates to its bug bounty program

The company is trying to encourage researchers to examine some of its hardware products

Meta added some hardware products to its bug bounty program
Illustration by Alex Castro / The Verge

Facebook parent company Meta is adding updates to its bug bounty program for products from its metaverse division Reality Labs, including its Quest 2, Portal, and Ray-Ban Stories smart glasses, the company announced Friday. The work will play an important role in its “journey to help build the metaverse,” according to a press release.

The press release emphasized that verified Ray-Ban Stories bug submissions are eligible for awards, which it’s hoping will incentivize more researchers to “analyze the glasses and our other hardware devices.” The minimum award for discovering a bug is $500, and the amounts increase depending on the device and the potential impact of the bug discovered. The biggest payout listed is $30,000 but could go even higher at the company’s discretion, for bugs that could potentially result in health, safety, or privacy risks.

Meta offered a list of hypothetical bugs and what the payouts could look like:

An issue that would allow a malicious third-party application to inject content that is then consumed by a first-party application, such as pictures to a slideshow or audio to a call, would receive a ~$1,000 payout under the “Issues caused by potentially malicious third-party apps”

A third-party app gaining microphone access without requesting it on a Quest device would receive a $5,000 payout under “Unauthorized mic access by third-party app.”

A third-party application on Quest that is able to crash or disable Guardian would receive a $3,000 payout under “DoS”

Remote code execution through a buffer overflow in the Quest voice chat library, getting execution in a privileged first-party application would receive a $16,000 payout.

The company first established its bug bounty program in 2011 and says it’s been instrumental in helping it find and fix bugs, with nearly $2 million in awards paid to security researchers last year alone, according to a blog post from company security engineering manager Dan Gurfinkel.

The complete list of payouts and guidelines can be found here.