Social media giant increases rewards for critical bugs in Hermes and Spark AR

Facebook has expanded its bug bounty program to offer up to $40k for JavaScript engine flaws

Facebook has expanded its bug bounty program, offering up to $40,000 for critical vulnerabilities in its open source JavaScript engine.

The social networking giant announced that it will increase payouts for bugs in JavaScript engine Hermes and its Spark AR platform.

Spark AR (augmented reality) is the platform used to build quirky and colorful effects within Facebook.

“Given the popularity of AR effects across our products, we’d like to encourage our bug bounty community to look for bugs in Hermes and Spark AR,” a statement reads.

“Native bug submissions have always been eligible under our bug bounty program, and to encourage further research into this area, we’ve decided to increase the payout amounts we award for verified bugs identified in Hermes.”

The highest reward – $40,000 – is reserved for remote code execution when running a Spark AR effect, either through a bug that exploits the Hermes JavaScript VM (virtual machine) or the Spark AR platform directly.


Read more of the latest bug bounty news


Bug hunters must provide a valid proof of concept exploit to be eligible for the payout.

Facebook is also offering up to $20,000 for any vulnerability that leaks sensitive information to an attacker.

It comes weeks after a security researcher scored a big pay day for reporting several vulnerabilities that lead to server-side request forgery (SSRF).

The pen tester and application developer, who earned three rewards for two of four discoveries, earned a whopping $30,000.

He discovered an internal blind SSRF in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.


READ MORE XSS vulnerability in ‘Login with Facebook’ button earns $20,000 bug bounty