Application security, Privacy, Vulnerability Management, Vulnerability Management

Meta has removed over 200 influence operations, raises bug bounty payouts

The Meta logo is displayed on a screen during a media preview of the new Meta Store
Cybersecurity personnel with Meta shared how the social media giant is protecting users in a recent year-end report. (Photo by Justin Sullivan/Getty Images)

Meta, the parent company of Facebook and Instagram, disclosed in a new report that it has disrupted over 200 influence operations on its platforms since 2017 and raised its bug bounty payouts to as much as $300,000.

In a Dec. 15 post, Meta’s chief information security officer (CISO) and the head of security policy detailed how the social media giant protects users from various threats on its platforms.

“Security is a highly adversarial space where we are constantly thinking about how our products, our policies and our enforcement may get abused. We have to keep evolving our defenses and processes in response to malicious actors trying to work around them. The stronger our defenses become, the more threat actors try to exploit even the smallest gaps in enforcement and expand their targeting across different services,” wrote Guy Rosen, Meta’s CISO, and Nathaniel Gleicher, who heads security policy. “This means that our industry must continue collaborating through information-sharing with each other and security researchers to raise the bar across the board.”

Meta’s Coordinated Inauthentic Behavior (CIB) policy leads to 200-plus disruptions

The security officials said the company has stopped over 200 covert influence operations from 68 countries since instituting the CIB policy since 2017. 

The covert operations most targeted the United States, followed by Ukraine and the United Kingdom. Operations most often originated from Russia, followed by Iran and Mexico. 

Meta also reported on the growing threat of the global surveillance-for-hire industry that collects intelligence or compromises devices of people, such as journalists, activists and politicians. The report said it removed spyware entities in China, Russia, Israel, the U.S. and India that targeted people in almost 200 countries.

A related report details how Meta removed hundreds of Facebook and Instagram accounts linked to Israeli developers such as Candiru and Quadream, both of which were founded by former employees of NSO that were testing malicious activities. NSO is the Israeli firm that developed the infamous Pegasus spyware.

“This industry exponentially increases the supply of threat actors by providing powerful surveillance capabilities to its clients against people who typically have no way of knowing they are being targeted,” they wrote.

Meta's bug bounty program updated to the metaverse

Rosen and Gleicher wrote that Meta’s bug bounty program played an important role for collaborating with researchers to find and fix bugs in its apps. The company said it awarded over 750 bug bounty reports in 2022, paying out more than $2 million to the research community.

They also noted that Meta’s new payout amounts were raised to $300,000 for mobile remote code execution (RCE) bugs, making it one of the highest-paying in the industry. The payout for account takeover (ATO) reports range as high as $130,000.

Neta Oren, bug bounty lead, announced that Meta’s bounty program will also extend to the metaverse and its latest products, Meta Quest Pro and the Meta Quest Touch Pro controllers, making it “among the first bug bounty programs to set payout guidelines for VR and mixed reality devices.”

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.