What you need to know
- Meta has announced bug bounty payout guidelines for its Reality Labs hardware products.
- A persistent full secure boot bypass of a Quest device will yield a bounty award of up to $30,000.
- Ray-Ban Stories, which Meta developed in partnership with EssilorLuxottica, is also in scope for the bug bounty program.
Facebook parent Meta on December 10 introduced new updates to its bug bounty program, expanding how it awards bug hunters for its Reality Labs products — including Meta Quest 2 and Meta Portal. Announcing the new updates in a blog post, Meta noted that it is important to know what the "next generation of security threats will look like" for augmented and virtual reality technologies.
Researchers who discover potential vulnerabilities in Meta's Ray-Ban Stories smart glasses will also be eligible to receive a bounty award. Additionally, researchers who submit vulnerabilities in the smart glasses and Facebook View app will get safe harbor protections.
The company says the move is aimed at providing "more transparency into the bounty award process" for its hardware devices. The payout amount to researchers will be based on the maximum possible security impact of the bug submitted by them.
While a bug that allows unauthorized mic access on Quest would yield a bounty award of $5,000, researchers can earn up to $30,000 for a persistent full secure boot bypass of its best VR headset. The tech giant will also consider a bug's potential health, safety, and privacy risks when determining the final bounty payout.
Meta's bug bounty program is one of the longest-running programs of its kind in the industry. Last year, the company paid nearly $2 million in bounty awards to security researchers from over 107 countries. It has also awarded additional funding to eight recipients to research security topics such as multi-factor authentication in AR and hardware trojan detection using machine learning and imaging.