Introduction

As a security researcher, I recently encountered a frustrating experience with Meta’s Bug Bounty program. Despite reporting a critical security vulnerability—one that I had verified to be a legitimate bug—my report was rejected twice and marked as a duplicate, despite Meta being fully aware of the issue. In this post, I’ll walk you through my experience with the Meta Bug Bounty system and explain why it was so disappointing.

The First Response: Marked as “Not Acceptable”

When I first submitted my report about the 2FA vulnerability to Meta, I was hopeful that my findings would be taken seriously. However, my submission was rejected and marked as “Not Acceptable.” I was not given a clear explanation as to why, which was frustrating. Below is a screenshot of the first Meta reply, showing that the report was dismissed with little consideration.

The Second Report: Marked as a “Duplicate”

After my initial report was rejected, I didn’t have any reopening credits to resubmit the same issue. So, I filed a second report, providing the same details about the 2FA vulnerability and verifying that it was indeed a security risk. To my surprise, the second report was also closed, and this time it was marked as a “duplicate.” Meta claimed that they were already aware of the issue and working on a fix.

What Happened After the Second Report?

I pointed out that I had already reported this issue, which had been wrongly marked as “Not Acceptable” the first time around. Meta admitted that the second report had been mistakenly categorized as a duplicate. However, they still considered both reports “Not Acceptable,” and no further action was taken. This seemed completely illogical. I had reported a valid vulnerability, but instead of acknowledging the issue, my efforts were dismissed without any proper solution or recognition.

What This Means for Bug Bounty Hunters

Meta’s response raises significant concerns about the integrity of their Bug Bounty program. For those who report security vulnerabilities, it is disheartening to be dismissed so easily without due recognition or a clear explanation. If a vulnerability is legitimate and can affect users, it should be treated with more respect, regardless of internal awareness. This experience has left me wondering whether reporting bugs to Meta’s Bug Bounty is worth the time and effort.

Conclusion

My experience with Meta’s Bug Bounty program was, to put it simply, disappointing. A critical security issue was dismissed multiple times, and no appropriate action was taken. I hope Meta will take these concerns seriously and improve the way they handle reports in the future. If you’re a bug bounty hunter, be aware of the challenges that might come with working on Meta’s platform. You might find yourself questioning the process, just like I did.

If you’re a bug bounty hunter or a security researcher, share your experiences in the comments below. Let’s discuss how we can help make bug bounty programs better for everyone.