Facebook wants to pay you money for reporting bugs with Oculus Rift. The minimum bounty is $500, but higher bounties are possible. Here’s how to claim your cash.
1. Review the Eligibility Standards
Before you try to score a bounty, you should review Facebook’s terms and ensure that you are eligible. It’s worth reading in full, but here are some of the guidelines:
“To qualify for a bounty, you must:
-Adhere to our Responsible Disclosure Policy
-Be the first person to responsibly disclose the bug
-Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSRF)
Broken Authentication (including Facebook OAuth bugs)
Circumvention of our Platform/Privacy permission models
Remote Code Execution
-Make every effort to use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
-Not interact with other accounts without the consent of their owners.
-Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”
2. Familiarize Yourself With Facebook’s Bug Bounty Program
If you are new to bug bounty hunting, you should review some of the resources that Facebook has shared on their Bug Bounty page. This is a great resource for learning how to bug hunt, and for asking questions of your fellow bug hunters. Even experienced bug hunters will enjoy reading the success stories of other bug bounty recipients.
3. Search For Oculus Bugs in Likely Locations
According to the Verge, you are likely to have the best results if your narrow the focus of your bug search to certain areas:
“Right now, most of the bugs are in the messaging system for Oculus developers and parts of the website, which makes them not much different from bugs found in the social network, says Facebook security engineer Neal Poole…
‘A lot of the issues that come up with Oculus are not necessarily in the hardware yet,’ Poole says. ‘Potentially in the future, if people were to go explore and find issues in the SDK or the hardware, that is definitely of interest to us.'”
4. Submit Your Report
Submit your bug report to http://www.facebook.com/whitehat/report/. Facebook will be in touch if your bug discovery is worthy of a bounty. Sophos reports that Facebook paid out $1.5 million in bug bounties last year, so there is a good chance that bug reports that adhere to Facebook’s stringent standards will result in a payday.