Meta adds Quest 2, Portal, and Ray-Ban Stories updates to its bug bounty program

Meta added some hardware products to its bug bounty program | Illustration by Alex Castro / The Verge

Facebook parent company Meta is adding updates to its bug bounty program for products from its metaverse division Reality Labs, including its Quest 2, Portal, and Ray-Ban Stories smart glasses, the company announced Friday. The work will play an important role in its “journey to help build the metaverse,” according to a press release.

The press release emphasized that verified Ray-Ban Stories bug submissions are eligible for awards, which it’s hoping will incentivize more researchers to “analyze the glasses and our other hardware devices.” The minimum award for discovering a bug is $500, and the amounts increase depending on the device and the potential impact of the bug discovered. The biggest payout listed is $30,000 but could go even higher at the company’s discretion, for bugs that could potentially result in health, safety, or privacy risks.

Meta offered a list of hypothetical bugs and what the payouts could look like:

An issue that would allow a malicious third-party application to inject content that is then consumed by a first-party application, such as pictures to a slideshow or audio to a call, would receive a ~$1,000 payout under the “Issues caused by potentially malicious third-party apps”

A third-party app gaining microphone access without requesting it on a Quest device would receive a $5,000 payout under “Unauthorized mic access by third-party app.”

A third-party application on Quest that is able to crash or disable Guardian would receive a $3,000 payout under “DoS”

Remote code execution through a buffer overflow in the Quest voice chat library, getting execution in a privileged first-party application would receive a $16,000 payout.

The company first established its bug bounty program in 2011 and says it’s been instrumental in helping it find and fix bugs, with nearly $2 million in awards paid to security researchers last year alone, according to a blog post from company security engineering manager Dan Gurfinkel.

The complete list of payouts and guidelines can be found here.