Meta today announced it’s updating a bug bounty program for its hardware products, something intended to reward anyone outside of the company who reports security vulnerabilities. With some new payout guidelines in place, Meta is ostensibly aiming to highlight its commitment to security following a total rebrand that’s put significant focus on its XR hardware and its vision of the metaverse.

Meta says the program, which over the past year has netted third-party security researchers over $2 million in bounties, will include its most recent XR products, such as Quest 2, Meta Portal, and Ray-Ban Stories.

With the updated bug bounty program, the company says it’s being more transparent with bounty payout amounts, and what system vulnerabilities it classifies as top priorities.

Meta lists a few concrete examples of what to expect in its new hardware-focused payout guidelines. A bug that might surreptitiously allow mic access on Quest could net a someone $5,000. A persistent, full secure boot bypass of Quest software would pay out up to $30,000.

“If a researcher demonstrates in a bug report that their finding could potentially result in physical health, safety, or privacy risks, we’ll also take these impacts into consideration when determining the overall bounty payout,” Meta says in a blogpost. “As we’ve done since establishing the bug bounty program more than 10 years ago, the final payout amount will be based on the maximum possible security impact of a bug submission.”

Ray-Ban Stories | Image courtesy Ray-Ban, Facebook

This follows the company’s announcement in October that it was rebranding away from Facebook and Oculus, and making a commitment to build out its vision of an interoperable and immersive social platform—i.e. ‘the metaverse’.

To boot, Meta has just launched an open beta for Horizon Worlds, the company’s proto-metaverse platform that puts an emphasis on user-generated content—the sort of the things we’ve seen from long-standing social VR platforms such as Rec Room and VRChat.

SEE ALSO
Meta Hackathon This Month Challenges Devs to Use Its Latest XR Tools for $700,000 in Prizes

The new bug hunter guidelines seemingly come amidst a greater shift within Meta Reality Labs in how it develops hardware. In a leaked company memo from earlier this year, Reality Labs head Andrew Bosworth maintained the company would change its approach to product development and put greater focus on security and data privacy at the hardware level.

“Instead of imagining a product and trimming it down to fit modern standards of data privacy and security we are going to invert our process. We will start with the assumption that we can’t collect, use, or store any data,” Bosworth’s memo reads. “The burden is on us to demonstrate why certain data is truly required for the product to work. Even then I want us to scope it as aggressively as we can, holding a higher bar for sending data to the server than we do for processing it locally. I have no problem with us giving users options to share more if they choose (opt-in) but by default we shouldn’t expect it.”

All of this seems like Meta is turning over a new leaf, however trust is easier broken than it is granted. It’s something the company will have to actively battle if it hopes to deflect unwanted scrutiny around its future products, which will necessarily be geared towards gathering increasingly sophisticated biometric user data.

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. See here for more information.


  • kontis

    The burden is on us to demonstrate why certain data is truly required for the product to work.

    Hey, Boz, how about the Voice SDK you just launched that sends everything to your servers so you can collect everything people say? Snapdragon XR2 in Quest 2 has neural net hardware acceleration. It implies you should be able to do on device speech recognition.

    Where is your demonstration proving it cannot be done? I would love to read your blog post about this choice with all the excuses.

    And please don’t use the “we need more data to improve the product and train our neural net” argument – you can easily just ask for consent (volunteers) like many companies do. No need to snoop on everyone all the time.

    • dbxtxh87

      I even have made $20,030 just in five weeks straightforwardly working part-time from my apartment.~r97~Immediately when I’ve lost my last business, I was exhausted and luckily I found this top online task & with this I am in a position to obtain thousands directly through my home.~r916~Everybody is able to get this best career & can gain more dollars on-line going this article.

      >>>> >>>> >>>> https://bit.ly/Workstar81?/gssdfbsdfbdsfs….16

      ********************************************************

  • sfmike

    Why when you block the spam that appears on every post on this site it always re-appears? It’s so annoying.

    • Jonathan Winters III

      I wish the owners of the site would take more responsibility for all the spam posts, but I think the husband and wife team are too busy creating content.

      • Andrew Jakobs

        Disqus, the comment system used, is not a husban/wife team. But it looks more deliberate to me disqus doesn’t do anything about it. The spam here is so easily detected by any simple spam filter.

        • Margaret Arroyo

          I’m able to obtain 88 US bucks/h to complete easy jobs online.~gg259~I have not at all believed that it could be even achievable however one of my good mate collecting $26,000 within a month working this leading opportunity & she had satisfied me to avail.~gg259~Read better guidance on going this web-link. >>> https://fw.ax/kuns6

        • Bella Mitchell

          l’m maklng $81 an hour working from home.~rw526~l was surprised when my friend toId me she was averaging $18122/month but l see how it works now.~vw526~l feeI so much freedom now that l’m my own boss… Check
          >>> https://3c5.com/FYoGP

  • If I discovered how to root the Quest, I would not get this $30K and share the solution with the community

    • Andrew Jakobs

      Ofcourse you would……..

    • ViRGiN

      If you achieved that, you would be offered even greatest rewards. Palmer offered $5000 and obviously he wouldn’t even keep his word, he never does.

  • Well, the Ray-Ban Stories came and went in a moment–not to my surprise in the slightest.