Meta today announced it’s updating a bug bounty program for its hardware products, something intended to reward anyone outside of the company who reports security vulnerabilities. With some new payout guidelines in place, Meta is ostensibly aiming to highlight its commitment to security following a total rebrand that’s put significant focus on its XR hardware and its vision of the metaverse.
Meta says the program, which over the past year has netted third-party security researchers over $2 million in bounties, will include its most recent XR products, such as Quest 2, Meta Portal, and Ray-Ban Stories.
With the updated bug bounty program, the company says it’s being more transparent with bounty payout amounts, and what system vulnerabilities it classifies as top priorities.
Meta lists a few concrete examples of what to expect in its new hardware-focused payout guidelines. A bug that might surreptitiously allow mic access on Quest could net a someone $5,000. A persistent, full secure boot bypass of Quest software would pay out up to $30,000.
“If a researcher demonstrates in a bug report that their finding could potentially result in physical health, safety, or privacy risks, we’ll also take these impacts into consideration when determining the overall bounty payout,” Meta says in a blogpost. “As we’ve done since establishing the bug bounty program more than 10 years ago, the final payout amount will be based on the maximum possible security impact of a bug submission.”
This follows the company’s announcement in October that it was rebranding away from Facebook and Oculus, and making a commitment to build out its vision of an interoperable and immersive social platform—i.e. ‘the metaverse’.
To boot, Meta has just launched an open beta for Horizon Worlds, the company’s proto-metaverse platform that puts an emphasis on user-generated content—the sort of the things we’ve seen from long-standing social VR platforms such as Rec Room and VRChat.
The new bug hunter guidelines seemingly come amidst a greater shift within Meta Reality Labs in how it develops hardware. In a leaked company memo from earlier this year, Reality Labs head Andrew Bosworth maintained the company would change its approach to product development and put greater focus on security and data privacy at the hardware level.
“Instead of imagining a product and trimming it down to fit modern standards of data privacy and security we are going to invert our process. We will start with the assumption that we can’t collect, use, or store any data,” Bosworth’s memo reads. “The burden is on us to demonstrate why certain data is truly required for the product to work. Even then I want us to scope it as aggressively as we can, holding a higher bar for sending data to the server than we do for processing it locally. I have no problem with us giving users options to share more if they choose (opt-in) but by default we shouldn’t expect it.”
All of this seems like Meta is turning over a new leaf, however trust is easier broken than it is granted. It’s something the company will have to actively battle if it hopes to deflect unwanted scrutiny around its future products, which will necessarily be geared towards gathering increasingly sophisticated biometric user data.