The vulnerabilities found in the native Facebook code are covered by the bug bounty program, but as the company stated it wants to encourage more researchers to deal with Hermes and Spark AR and that's why he added other rewards.
For example, an ethical hacker It could save up to $ 25.000 if it detects a vulnerability or exploit that allows remote code execution when running a Spark AR effect.
"The amount can be adjusted depending on the error and exploitation. For example, an exploitation chain that does not contain an ASLR bypass can lead to a slightly lower fee. Similarly, an out-of-bounds registration where there is no clear path to the RCE will receive a lower fee. " explained Facebook.
A vulnerability that allows an intruder to read user data can be worth an average of $ 15.000. Defects DoS resulting from out-of-bounds errors, can bring in profits between $ 500 and $ 3.000 to researchers.
A researcher can also earn a fee of $ 15.000 if he or she provides the company with a full proof-of-concept (PoC) for a farm, which means they could receive $ 40.000 for a remote code execution vulnerability.
Last year alone, Facebook donated more than $ 2,2 million to its bug bounty program, and a total of nearly $ 10 million since the program began in 2011.