In an effort to harden the security of its hardware products, Meta today announced new guidelines for its Bug Bounty program, specifying the inclusion of both the Quest Pro headset and Touch Pro controllers, and what the company will pay out for specific bugs uncovered by security researchers.
Like some other tech companies, Meta runs a Bug Bounty program which encourages
hackers security researchers to probe its products for vulnerabilities in exchange for a payout.
Meta has been running this program for some time across various products, but today the company added new payout guidelines specific to its VR products, including Quest Pro and the Touch Pro controllers, as well as Quest 2, Quest 1, and many of the company’s recent non-VR hardware products.
According to the guidelines, Meta is offering up to $45,000 for major exploits on its hardware products (like remote code execution on a headset), and between $500–$3,000 for smaller exploits (like sneaking an app around the user’s permission settings).
The guidelines detail how Meta will assess the various classes of exploits and how their severity will determine the payout. The company says it will take a range of factors into consideration, including findings that could “potentially result in physical health and safety and privacy risks.”
One of the most interesting additions of included devices in the program is surely the Touch Pro controllers. As far as Meta’s VR headsets go, this is a whole new class of device—essentially a little computer capable of tracking its own position thanks to three on-board cameras. None of the company’s prior VR headsets have had such sophisticated controllers, and it will be interesting to see if they open the door to any new security vulnerabilities.
In a blog post recounting the last year of the company’s Bug Bounty program, Meta says it paid out some $2 million to security researchers this year. The company says it got around 10,000 reports in 2022, 750 (7.5%) of which it determined qualified for a payout. That makes the average bounty payment for 2022 around $2,700 per qualifying bug.