Facebook has expanded its bug reward program, offering up to $40,000 for critical vulnerabilities in its open source JavaScript engine.

The social media platform announced that it will increase payouts for bugs in JavaScript engine Hermes and its Spark AR platform.

Spark AR (augmented reality) is the platform used to build quirky and colorful effects within Facebook.
The statement reads:

“Given the popularity of AR effects across our products, we’d like to encourage our bug bounty community to look for bugs in Hermes and Spark AR,”.

“Native bug submissions have always been eligible under our bug bounty program, and to encourage further research into this area, we’ve decided to increase the payout amounts we award for verified bugs identified in Hermes.”

Facebook is also offering about $20,000 for any vulnerability that leaks sensitive information to an attacker.

This comes after a security researcher scored a big pay day for reporting several vulnerabilities that lead to server-side request forgery (SSRF).

The pen tester and application developer, who earned three rewards for two of four discoveries, has earned $30,000 after he discovered an internal blind SSRF in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

Source: Harworth Jessica.