Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jaiswalakshansh/Facebook-BugBounty-Writeups
Collection of Facebook Bug Bounty Writeups
https://github.com/jaiswalakshansh/Facebook-BugBounty-Writeups
bug-bounty bugbounty bugbounty-writeups facebook-security
Last synced: 21 days ago
JSON representation
Collection of Facebook Bug Bounty Writeups
- Host: GitHub
- URL: https://github.com/jaiswalakshansh/Facebook-BugBounty-Writeups
- Owner: jaiswalakshansh
- Created: 2020-10-16T12:58:22.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-04-13T11:52:59.000Z (8 months ago)
- Last Synced: 2024-08-05T17:41:28.920Z (4 months ago)
- Topics: bug-bounty, bugbounty, bugbounty-writeups, facebook-security
- Homepage:
- Size: 416 KB
- Stars: 579
- Watchers: 39
- Forks: 116
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - jaiswalakshansh/Facebook-BugBounty-Writeups - Collection of Facebook Bug Bounty Writeups (Others)
README
# Meta(Facebook) BugBounty-Writeups
Inspired from [xdavidhu](https://github.com/xdavidhu/awesome-google-vrp-writeups) & [1hack0](https://github.com/1hack0/Facebook-Bug-Bounty-Write-ups) this is a repo which contains Facebooks Updated BugBounty Writeups.
## Contributing:
If you have/know of any Facebook writeups not listed in this repository, feel free to open a Pull Request. Please try to sort the writeups by publication date.
The template to follow when adding new writeups:
```
- **[MONTH DAY - $BOUNTY]** [TITLE](URL) by [NAME](TWITTER_URL)
```
*If the bounty amount is not available, write `$???`.*
*If no Twitter account is available, try finding something similar, like other social media page or website.*
## Writeups
### 2024:-
- **[Feb 27 - $???]** [0-Click Account Takeover on Facebook](https://samiparyal.medium.com/0-click-account-takeover-on-facebook-e4120651e23e) by [Samip Aryal](https://twitter.com/samiparyal)
- **[Feb 04 - $???]** [XSS in Excalidraw used in Meta Messenger](https://spaceraccoon.dev/clipboard-microsoft-whiteboard-excalidraw-meta/?fbclid=IwAR0nckrTov2NWGB64Js9nLbac5CT2tdCYn-RV0E0B7dIlHL0pAglV035f1E) by [Eugene Lim](https://x.com/spaceraccoonsec)
### 2023:-
- **[Oct 12 - $14,500]** [How I Exposed Instagram's Private Posts by Blocking Users](https://003random.com/posts/meta-bountycon-instagram-writeup/) by [003random](https://fb.com/rub003)
- **[Sep 19 - $???]** [Anonymous post owner disclosure](https://bugreader.com/rony@283) by [Rony K Roy](https://fb.com/ronykroy3)
- **[Aug 31 - $10,000]** [How I could view any Facebook Groups Notes media](https://infosecwriteups.com/how-i-could-view-any-facebook-groups-notes-media-and-they-paid-me-a-10-000-fe22f8949d7c) by [Raja Sudhakar](https://medium.com/@rajasudhakar)
- **[Aug 22 - $25,300]** [Bypass Two-Factor Authentication of Facebook Accounts](https://medium.com/@bazzounbassem/bypass-two-factor-authentication-of-facebook-accounts-25-300-7ae152d7836a) by [Bassem M Bazzoun](https://twitter.com/bassemmbazzoun)
- **[May 4 - $12,500]** [CVE-2019-18426 - WhatsApp potential for RCE](https://weizman.github.io/2020/02/14/whatsapp-vuln/) by [Gal Weizman](https://twitter.com/WeizmanGal)
- **[Apr 27 - $500]** [Bypassing Link Sharing Protection](https://zerocode-ph.medium.com/bypassing-link-sharing-protection-in-messenger-kids-parents-control-feature-meta-bug-bounty-e53f2d148bd9) by [Syd Ricafort](https://twitter.com/devsyd11)
- **[Mar 18 - ???]** [Facebook Creator Studio Misconfiguration](https://medium.com/@abdulparkar9554/facebook-creator-studio-misconfiguration-348b0ee38c31) by [Abdul Rehman Parkar](https://medium.com/@abdulparkar9554)
- **[Mar 8 - 2023]** [Accessing to Data Sources of any Facebook Business account via IDOR in GraphQL](https://medium.com/@mukundbhuva/accessing-the-data-sources-of-any-facebook-business-account-via-idor-in-graphql-1fc963ad3ecd) by [Mukund Bhuva](https://twitter.com/MukundBhuva)
- **[Feb 26 - ???]** [Facebook bug: A Journey from Code Execution to S3 Data Leak](https://medium.com/@win3zz/facebook-bug-a-journey-from-code-execution-to-s3-data-leak-698b7d2b02ef) by [Bipin Jitiya](https://twitter.com/win3zz)
- **[Jan 31 - $62,500]** [DOM-XSS in Instant Games due to improper verification of supplied URLs](https://ysamm.com/?p=779) by [Youssef Sammouda](https://twitter.com/samm0uda)
- **[Jan 31 - $62,500]** [Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation](https://ysamm.com/?p=783) by [Youssef Sammouda](https://twitter.com/samm0uda)
- **[Jan 31 - $44,250]** [Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing](https://ysamm.com/?p=777) by [Youssef Sammouda](https://twitter.com/samm0uda)
- **[Jan 31 - $2,075]** [Disclosing Facebook page admins by playing a game](https://medium.com/@sudipshah_66336/disclosing-facebook-page-admins-by-playing-a-game-2b0f4ed082e4) by [Sudip Shah](https://medium.com/@sudipshah_66336)
- **[Jan 23 - ???]** [Two Factor Authentication Bypass On Facebook](https://medium.com/pentesternepal/two-factor-authentication-bypass-on-facebook-3f4ac3ea139c) by [Gtm Mänôz](https://twitter.com/Gtm0x01)
- **[Jan 11 - $1,726]** [Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval](https://www.vulnano.com/2023/01/meta-quest-attacker-could-make-any.html) by [Dzmitry Lukyanenka](https://twitter.com/vulnano)
- **[Jan 6 - ???]** [Instagram vulnerability : Turn off all type of message requests using deeplink (Android)](https://servicenger.com/mobile/instagram-vulnerability-turn-off-message-requests-deeplink/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
### 2022:
- **[Dec 23 - $3,000]** [0 click Facebook Account Takeover and Two-Factor Authentication Bypass](https://medium.com/@yaala/account-takeover-and-two-factor-authentication-bypass-de56ed41d7f9) by [abdellah yaala](https://twitter.com/yaalaab)
- **[Dec 23 - $11,250]** [Delete any Video or Reel on Facebook (11,250$)](https://bugreader.com/social/write-ups-general-delete-any-video-or-reel-on-facebook-11-250--100965) by [Bassem Bazzoun](https://twitter.com/bassemmbazzoun)
- **[Dec 5 - $500]** [Irremovable comments on the FB Lite app](https://theshubh77.medium.com/write-up-irremovable-comments-on-fb-lite-app-a-story-of-a-simple-fb-lite-bug-that-i-found-just-125aaa826dd8) by [Shubham Bhamare](https://twitter.com/theshubh77)
- **[Nov 22 - $3,000]** [Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs](https://feed.bugs.xdavidhu.me/bugs/0017) by [David Schütz](https://twitter.com/xdavidhu)
- **[Oct 17 - $18,750]** [Facebook SMS Captcha Was Vulnerable to CSRF Attack](https://lokeshdlk77.medium.com/facebook-sms-captcha-was-vulnerable-to-csrf-attack-8db537b1e980) by [Lokesh kumar](https://twitter.com/lokeshdlk77)
- **[Sep 06 - $???]** [Group expert's pending expertise request leaking](https://hopesamples.blogspot.com/2022/09/group-experts-pending-expertise-request.html) by [DF](https://www.blogger.com/profile/09415214335815845109)
- **[Sep 06 - $10,000]** [Abusing Self Hosted Github Runners at Facebook](https://marcyoung.us/post/zuckerpunch/) by [Marcus Young](https://github.com/myoung34)
- **[Sep 06 - $???]** [Details about future collaboration profiles and pages have been revealed](https://hopesamples.blogspot.com/2022/09/details-about-future-collaboration.html) by [DF](https://hopesamples.blogspot.com/)
- **[Sep 06 - $???]** [Group expert's pending expertise request leaking on Facebook](https://hopesamples.blogspot.com/2022/09/group-experts-pending-expertise-request.html) by [DF](https://hopesamples.blogspot.com/)
- **[Aug 11 - $3000]** [Email Confirmation bypass at Instagram](https://medium.com/@avinash_/email-confirmation-bypass-at-instagram-cc968f9a126) by [Avinash Kumar](https://medium.com/@avinash_)
- **[Aug 05 - $???]** [Irremovable guest in facebook event](https://infosecwriteups.com/irremovable-guest-in-facebook-event-facebook-bug-bounty-e10e03c98cd5) by [Rajiv Gyawali](https://medium.com/@rajeevgyawali92)
- **[Aug 02 - $550]** [Instagram photo was present in data backup](https://medium.com/@the_null_kid/instagram-photo-was-present-in-data-backup-nearly-after-two-years-being-deleted-f0e4d6e108) by [Jeewan Bhatta](https://medium.com/@the_null_kid)
- **[July 24 - $???]** [Contactpoint Inference through rate-limiting errors](http://www.hackingmonks.net/2022/07/facebook-bug-poc-contactpoint-inference.html) by [Hacking Monks](http://www.hackingmonks.net/)
- **[July 19 - $250]** [How I could’ve bought anything for Free from Facebook Business Pages](https://infosecwriteups.com/hacking-facebook-invoice-how-i-couldve-bought-anything-for-free-from-facebook-business-pages-42bcfaa73ec4) by [Samip Aryal](https://samiparyal.medium.com/)
- **[July 19 - $12,000]** [Instagram account takeover by malicious apps](https://www.vulnano.com/2022/07/react-debugkeystore-key-was-trusted-by.html) by [Dzmitry](https://twitter.com/xdzmitry)
- **[Jun 30 - $500]** [Facebook Portal’s business logic error](https://medium.com/@unurbayar1998/facebook-portals-business-logic-error-lead-to-500-708e91b4055f) by [Unurbayar](https://medium.com/@unurbayar1998)
- **[Jun 12 - $49,500]** [How I found a Critical Bug in Instagram](https://infosecwriteups.com/how-i-found-a-critical-bug-in-instagram-and-got-49500-bounty-from-facebook-626ff2c6a853) by [Neeraj Sharma](https://medium.com/@root.n33r4j)
- **[May 31 - $???]** [Abusing Facebook’s feature for a permanent account confusion](https://medium.com/@terminatorLM/abusing-facebooks-feature-for-a-permanent-account-confusion-logic-vulnerability-d7f5160f373a) by [terminator](https://twitter.com/terminatorLM)
- **[May 14 - $44,625]** [Multiple bugs chained to takeover Facebook Accounts](https://ysamm.com/?p=763) by [Sammouda](https://twitter.com/samm0uda)
- **[May 04 - $1,575]** [Remotely permanent crash any Instagram user via permanent DoS in user DM’s](https://www.yesnaveen.com/remotely-permanent-crash-any-instagram) by [Naveen](https://twitter.com/NaveenHax)
- **[Apr 30 - $1,000]** [Page Admin Disclosure when Posting a Reel](https://zerocode-ph.medium.com/page-admin-disclosure-when-posting-a-reel-1bfac9bd7f71) by [Syd Ricafort](https://twitter.com/devsyd11)
- **[Apr 28 - $12,000]** [Contact Point Deanonymization Vulnerability](https://lokeshdlk77.medium.com/contact-point-deanonymization-vulnerability-in-meta-90d575c4d8ef) by [Lokesh Kumar](https://lokeshdlk77.medium.com/)
- **[Apr 10 - $4400]** [Privacy Disclosure on Facebook Lite](https://medium.com/@RheyJuls/privacy-disclosure-on-facebook-lite-after-creating-a-post-b12a1cad8d8a) by [Rhey](https://medium.com/@RheyJuls)
- **[Apr 07 - $2,500]** [Meta's SparkAR RCE Via ZIP Path Traversal](https://blog.fadyothman.com/metas-sparkar/) by [Fady Othman](https://blog.fadyothman.com/author/fady-2/)
- **[Apr 04 - $???]** [View Friends List of any users using](https://ph-hitachi.medium.com/view-friends-list-of-any-users-using-view-as-facebook-bug-bounty-edeb6af5640b) by [Ph.Hitachi](https://ph-hitachi.medium.com/)
- **[March 06 - $???]** [Bypassing biometric authentication using voip in Whatsapp](https://infosecwriteups.com/whatsapp-bug-bounty-bypassing-biometric-authentication-using-voip-87548ef7a0ba) by [Arvind](https://twitter.com/ar_arv1nd)
- **[March 04 - $98,250]** [More secure Facebook Canvas Part 2](https://ysamm.com/?p=742) by [Samm0uda](https://twitter.com/samm0uda)
- **[March 03- $4500]** [Instagram IDOR Bug](https://medium.com/@nvmeeet/4300-instagram-idor-bug-2022-5386cf492cad) by [Nawaf Alkhaldi](https://twitter.com/nvmeeet)
- **[Feb 25 - $1500]** [Bypassing default visibility for newly-added email](https://medium.com/@Kntjrld/bypassing-default-visibility-for-newly-added-email-in-facebook-part-i-submitting-i-d-da78142f032d) & [Part 2](https://medium.com/@Kntjrld/bypassing-default-visibility-for-newly-added-email-in-facebook-part-ii-trusted-contacts-36176eeb103) by [Kent Jarold Abulag](https://twitter.com/wkemenhehehegsg)
- **[Feb 21 - $3150]** [How I could’ve bypassed the 2FA security of Instagram once again](https://infosecwriteups.com/how-i-couldve-bypassed-the-2fa-security-of-instagram-once-again-43c05cc9b755) by [Samip Aryal](https://twitter.com/samiparyal_)
- **[Feb 16 - $7500]** [Trim private live videos and access them](https://medium.com/@yaala/trim-private-live-videos-and-access-them-a331447cc82a) by [Abdellah Yaala](https://medium.com/@yaala)
- **[Feb 06 - $7500]** [Facebook Oauth token leakage](https://medium.com/@yaala/facebook-oauth-bypass-446a073e687d) by [Abdellah Yaala](https://medium.com/@yaala)
- **[Feb 05 - $7500]** [Attacker could attach their own tournamnet to any live video.](https://bugreader.com/rony@attacker-could-attach-their-own-tournamnet-to-any-live-video-272) by [Rony K Roy](https://fb.com/ronykroy3)
- **[Feb 02- $4000]** [Abusing Facebooks Call To Action To Launch Internal Deeplinks](https://www.ash-king.co.uk/blog/abusing-Facebooks-call-to-action-to-launch-internal-deeplinks?fbclid=IwAR0AVhnCXKwoQmy2vGQWBMyztXevZyVCv0OXxnSWiiDigWZU0Zb3u7yzZCU) by [Ash-King](https://www.ash-king.co.uk/)
- **[Jan 05 - $1050]** [How I was able to spoof any Instagram username on Instagram shop](https://medium.com/@nvmeeet/how-i-was-able-to-spoof-any-instagram-username-on-instagram-shop-b4d6abdb474a) by [Nawaf Alkhaldi](https://medium.com/@nvmeeet)
- **[Jan 04 - $1075]** [Execute arbitrary javascript (xss) and load arbitrary website](https://servicenger.com/mobile/facebook-android-webview-vulnerability/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
### 2021:-
- **[Dec 29 - $863]** [Add or remove the linked publications from Author Publisher settings](https://servicenger.com/mobile/idor-add-or-remove-the-linked-publications-from-author-publisher-settings-facebook-bug-bounty) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Dec 20 - $4,500]** [How I was able to reveal page admin of almost any page on Facebook](https://medium.com/pentesternepal/how-i-was-able-to-reveal-page-admin-of-almost-any-page-on-facebook-5a8d68253e0c) by [Sudip Shah](https://medium.com/@sudipshah_66336)
- **[Dec 16 - $???]**[ CSRF renew access to Apps](http://www.hackingmonks.net/2021/12/facebook-bug-poc-csrf-renew-access-to.html) by [Hacking Monks](http://www.hackingmonks.net/)
- **[Dec 04 - $???]** [Able to See and Delete Private Facebook Portal photos](https://pathleax.medium.com/this-is-how-i-was-able-to-see-and-delete-your-private-facebook-portal-photos-a93ed22f875b) by [Abhishek Pathak](https://pathleax.medium.com/)
- **[Dec 02 - $1,500]** [Disclose Ad Accounts linked with Instagram Accounts](https://yesnaveen.com/Instagram-ad-account-disclosure) by [Naveen](https://twitter.com/NaveenHax)
- **[Nov 23 - $25,000]** [CSRF in Instagram](https://medium.com/@mohamedajimi59/csrf-in-instagram-461cbba286a) by [Mohamed Laajimi](https://medium.com/@mohamedajimi59)
- **[Oct 24 - $???]** [Tagged User Could Delete Facebook Story](https://mrkrhy-xyz.medium.com/tagged-user-could-delete-facebook-story-d7f9cdde92aa) by [Mark Rhoy](https://mrkrhy-xyz.medium.com/)
- **[Oct 22 - $???]** [Unauthorized access to any Facebook user’s draft profile picture frames](https://www.appsecure.security/blog/unauthorized-access-to-facebook-draft-profile-picture-frames) by [Sandeep Hodkasia](https://mobile.twitter.com/sandeephodkasia)
- **[Sep 29 - $10,000]** [Malicious Android Applications can takeover Facebook/Workplace accounts](https://ysamm.com/?p=729) by [Samm0uda](https://twitter.com/samm0uda)
- **[Sep 29 - $500]** [Force Browsing bug at Facebook business plan](https://dewcode.medium.com/force-browsing-bug-at-facebook-business-plan-500-bounty-73d1bb4883af) by [Dewanand Vishal](https://dewcode.medium.com/)
- **[Sep 23 - $725]** [Messenger for MacOS contained hardcoded FB token](https://www.vulnano.com/2021/09/facebook-messenger-for-macos-contained.html?fbclid=IwAR2iT6KOZYRE6xaAjDRtDWqmyyZSmLK_UBXz3_L7x9OtqbQ04bkLJB_jIQE) by [Dzmitry](https://www.vulnano.com/)
- **[Sep 15 - $18,250]** [A Facebook bug that exposes email/phone number to your friends](https://iamsaugat.medium.com/a-facebook-bug-that-exposes-email-phone-number-to-your-friends-a980d24e5ea8) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[Sep 08 - $???]** [Facebook email disclosure and account takeover](https://rikeshbaniyaaa.medium.com/facebook-email-disclosure-and-account-takeover-ecdb44ee12e9) by [Rikesh Baniya](https://rikeshbaniyaaa.medium.com/)
- **[Sep 03 - $126,000]** [Tale of Account Takeovers](https://ysamm.com/?p=708) by [Samm0uda](https://twitter.com/samm0uda)
- **[Sep 01 - $1,000]** [Bypassing 2-Factor Authentication for Facebook Business Manager](https://theshubh77.medium.com/bypassing-2-factor-authentication-for-facebook-business-manager-bounty-1000-usd-c78c858459d6) by [Shubham Bhamare](https://theshubh77.medium.com/)
- **[Aug 22 - $???]** [IDOR enables Allow Facebook stories shared from Instagram](https://medium.com/@mohamedajimi59/idor-enable-allow-facebook-stories-shared-from-instagram-to-tag-my-page-as-non-admin-c5bdf597684a) by [Mohamed Laajimi](https://medium.com/@mohamedajimi59)
- **[Aug 19 - $1000]** [Disclose WhatsApp Number of Instagram Accounts Despite Setting Set to be Hidden](https://www.yesnaveen.com/whatsapp-number-disclosure) by [Naveen](https://twitter.com/NaveenHax)
- **[Aug 18 - $3,449]** [Confirming any new Email Address ](https://lokeshdlk77.medium.com/confirming-any-new-email-address-bug-in-facebook-part-4-70cfe1b4dca5) by [Lokesh Kumar](https://lokeshdlk77.medium.com/)
- **[Aug 02- $???]** [Facebook Messenger indirect thread deletion](https://servicenger.com/blog/mobile/android/facebook-messenger-for-android-indirect-thread-deletion/?fbclid=IwAR1R9T91bR2aBpsiT5O0gBzz5fVOqwZHecDsbsTVXm7hNINJO7IJNaYvcZU) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[July 30 - $???]** [Request Review on behalf of other pages (no role in the page) in Account Quality](https://bugreader.com/jubabaghdad@request-review-on-behalf-of-other-pages-no-role-in-the-page-in-account-quality-261) by [Sarmad Hassan](https://bugreader.com/jubabaghdad)
- **[July 29 - $3,000]** [Expose Group Member](https://medium.com/@muhammadsholikhin/facebook-vulnerability-expose-group-member-3000-cca809a53f6b) by [Muhammad S
](https://medium.com/@muhammadsholikhin)
- **[July 24 - $1,000]** [Not valid bug that leads to us a multiple Valid Report](https://medium.com/@Kntjrld/not-valid-bug-that-leads-to-us-a-multiple-valid-report-in-facebook-25a3fb8cb51) by [Kntjrld](https://medium.com/@Kntjrld)
- **[July 23 - $500]** [Admin of group chat cannot remove deactivate user](https://imajk.medium.com/story-of-my-3rd-bounty-from-facebook-fef352853d1b) by [Aashish Jung Kunwar ](https://imajk.medium.com/)
- **[July 17 - $1,500]** [Removing Document Cover](https://medium.com/@muhammadsholikhin/facebook-vulnerability-1500-for-removing-document-cover-9ffd0173877b) by [Muhammad S
](https://medium.com/@muhammadsholikhin)
- **[July 12 - $500]** [Linkshim Bypass](https://bugreader.com/ant00961@linkshim-bypass-259) by [Anthony Richa](https://www.facebook.com/whitehat/profile/AnT00961/)
- **[July 10 - $???]** [Facebook Email/phone disclosure using Binary search](https://rikeshbaniyaaa.medium.com/facebook-email-phone-disclosure-using-binary-search-d50430758c54) by [Rikesh Baniya](https://rikeshbaniyaaa.medium.com/)
- **[June 27 - $500]** [Oversightboard.com site-wide CSRF ](https://ysamm.com/?p=702) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 27 - $500]** [Disclose unconfirmed email/phone of a Facebook user](https://ysamm.com/?p=700) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 15 - $30,000]** [I was able to see Private, Archived Posts/Stories of users on Instagram](https://fartademayur.medium.com/this-is-how-i-was-able-to-see-private-archived-posts-stories-of-users-on-instagram-without-de70ca39165c) by [Mayur Fartade](https://twitter.com/mayurfartade)
- **[June 13 - $15,500]** [User’s location diclosure in the Nearby Friends](https://otmastimi.medium.com/users-location-diclosure-in-the-nearby-friends-feature-fabd24be05cb) by [Yavor Rusev](https://otmastimi.medium.com/)
- **[June 06 - $3000]** [How I could have accessed all your private videos/photos saved inside your device](https://infosecwriteups.com/how-i-could-have-accessed-all-your-private-videos-photos-saved-inside-your-device-without-even-1a7e455ddcc8) by [Samip Aryal](https://samiparyal.medium.com/)
- **[May 31 - $???]** [Facebook Page Admin Disclosure](https://infosecwriteups.com/facebook-page-admin-disclosure-7d8893a4a674) by [Kunjan Nayak](https://kunjan-nayak.medium.com/)
- **[May 23 - $???]** [Disclose leads form details of any Facebook Business Account](https://amineaboud.medium.com/disclose-leads-form-details-of-any-facebook-business-account-or-facebook-page-bug-bounty-7ecae6cff312) by [Amine Aboud](https://twitter.com/amineaboud)
- **[May 22 - $500]** [Crossposting Live Videos](https://yaswanthmangalagiri.blogspot.com/2021/05/facebook-bug-bounty-crossposting-live.html) by [Yaswanth Mangalagiri](https://yaswanthmangalagiri.blogspot.com/)
- **[May 21 - $500]** [CSRF from which we can create a support ticket in Victim’s Account](https://rohitcoder.medium.com/csrf-from-which-we-can-create-a-support-ticket-in-victims-account-500-c1aa61f99c17) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[May 21 - $500]** [Victim’s Anti CSRF Token could be exposed to Third-party Applications ](https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-be8e40d511ba) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[May 20 - $ 1000]** [Third-Party Apps were still getting your private Facebook data](https://infosecwriteups.com/third-party-apps-were-still-getting-your-private-facebook-data-even-after-their-access-expiry-6e4be4880e6e) by [Samip Aryal](https://samiparyal.medium.com/)
- **[May 20 - $ 537]** [Instagram Live setting bug](https://infosecwriteups.com/writeups-facebook-whitehat-program-2021-instagram-live-setting-bug-500-usd-d2d076b3f8bb) by [Takashi Suzuki](https://www.linkedin.com/in/takashi-suzuki-whitehacker/)
- **[May 20 - $12,000]** [Oculus SSO bug leads to account takeover on third party websites](https://ysamm.com/?p=697) by [Samm0uda](https://twitter.com/samm0uda)
- **[May 11 - $9,600]** [Instagram Reflected XSS](https://ysamm.com/?p=695) by [Samm0uda](https://twitter.com/samm0uda)
- **[May 10 - $500]** [Undeletable Messenger Room](https://sndpgiriz.medium.com/simple-logical-bug-turned-into-a-bounty-a3d7ac214606) by [SndpGiri](https://www.facebook.com/graphql/)
- **[May 06 - $9,000]** [Identify a Facebook user by his phone number](https://ysamm.com/?p=691) by [Samm0uda](https://twitter.com/samm0uda)
- **[May 06 - $27,000]** [Unauthorized access to companies environment](https://mvinni.medium.com/workplace-by-facebook-unauthorized-access-to-companies-environment-27-5k-a593a57092f1) by [Marcos Ferreira](https://twitter.com/mvinni_?s=09)
- **[May 04 - $18,000]** [Account takeover of accounts due to unrestricted permissions](https://ysamm.com/?p=684) by [Samm0uda](https://twitter.com/samm0uda)
- **[May 04 - $3,000]** [Disclose other user followers](https://medium.com/@pratiktimilsina2001/here-ive-tried-my-best-to-explain-my-bug-bounty-journey-e2fe6c7ff89a) by [Pratik Timilsina](https://medium.com/@pratiktimilsina2001)
- **[May 01 - $500]** [Hijack Facebook user due to broken link on Facebook shop feature on IOS Facebook APP](https://medium.com/@sndpgiriz/facebook-bug-bounty-hijack-facebook-user-due-to-broken-link-on-facebook-shop-feature-on-ios-1b008685b548) by [SndpGiri](https://www.facebook.com/graphql/)
- **[Apr 30 - $ 30,000]** [Facebook account takeover due to unsafe redirects](https://ysamm.com/?p=667) by [Samm0uda](https://twitter.com/samm0uda)
- **[Apr 26 - $ 6,000]** [Download Facebook internal mobile builds](https://philippeharewood.com/download-facebook-internal-mobile-builds/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Apr 18 - $ 14,000]** [Remove any Facebook’s live video](https://infosecwriteups.com/poc-remove-any-facebooks-live-video-14-000-bounty-70c8135b7b4c) by [Ahmad Talahmeh](https://edmundaa222.medium.com/)
- **[Apr 17 - $ 1,000]** [Comment Goes From Page Profile Instead of Personal Profile](https://whoisaasis.medium.com/how-i-got-my-first-bounty-from-finding-a-bug-in-facebook-4f4198dc61b8) by [Aashish Kunwar](https://twitter.com/WhoisAasis)
- **[Apr 01 - $ 30,000]** [Facebook account takeover due to a wide platform bug in ajaxpipe responses](https://ysamm.com/?p=654) by [Samm0uda](https://twitter.com/samm0uda)
- **[Apr 01 - $ 12,000]** [Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow](https://ysamm.com/?p=646) by [Samm0uda](https://twitter.com/samm0uda)
- **[Mar 19 - $ 54,800]** [How I hacked Facebook: Part Two](https://alaa0x2.medium.com/how-i-hacked-facebook-part-two-ffab96d57b19) by [Alaa Abdulridha](https://twitter.com/alaa0x2)
- **[Mar 16 - $ 1,000]** [VOICE CONFUSION WHEN COMMENTING ON WATCH PARTY](https://www.pantaprakash.com.np/posts/categories/bugbounty-writeup/5.html) by [Prakash Panta](https://twitter.com/prakashpanta268)
- **[Mar 16 - $ 9,000]** [Facebook Group Members Disclosure](https://spongebhav.medium.com/facebook-group-members-disclosure-e53eb83df39e) by [Baibhav Anand Jha](https://twitter.com/spongebhav)
- **[Mar 04 - $ 500]** [Low hanging fruits on Facebook Group Room](https://randyarios.medium.com/low-hanging-fruits-on-facebook-group-room-b8d17c7ea886) by [Randy Arios](https://randyarios.medium.com/)
- **[Mar 03 - $ 500]** [THE INVINCIBLE KID](https://infosecwriteups.com/the-invincible-kid-7ac1ce2887c0) by [Samip Aryal](https://samiparyal.medium.com/)
- **[Feb 28 - $ ???]** [Join Facebook Group With Unpublish Page](https://gevakun.medium.com/join-facebook-group-with-unpublish-page-cb649a20fb0e) by [Gevakun](https://twitter.com/Geva_7)
- **[Feb 27 - $ ???]** [Disclose hidden Product Images by featuring a non-owned collection](https://bugreader.com/bassembazzoun_@disclose-hidden-product-images-by-featuring-a-non-owned-collection-on-home-page-of-the-shop-245) by [Bassem Bazzoun](https://bugreader.com/bassembazzoun_)
- **[Feb 18 - $ ???]** [Open redirect in www.oversightboard.com](https://bugreader.com/jubabaghdad@open-redirect-in-wwwoversightboardcom-that-owned-by-facebook-244) by [Sarmad Hassan](https://bugreader.com/jubabaghdad)
- **[Feb 18 - $ 500]** [Expose Facebook object type](https://ysamm.com/?p=642) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 18 - $ 3,600]** [Expose information about Partner accounts ](https://ysamm.com/?p=640) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 18 - $ 500]** [Ability to find Facebook employee’s test accounts](https://ysamm.com/?p=638) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 18 - $ 500]** [Disclose internal CMS objects content](https://ysamm.com/?p=636) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 18 - $ 500]** [Determine admin email addresses of Partners portal account](https://ysamm.com/?p=634) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 18 - $ 500]** [XSS in Facebook CDN](https://ysamm.com/?p=632) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 500]** [Dangling DNS Records on api.techprep.fb.com](https://gist.github.com/TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b) by [Binit Ghimire
](https://twitter.com/WHOISbinit)
- **[Feb 17 - $ 4,800]** [Enumerate internal cached URLs which lead to data exposure](https://ysamm.com/?p=629) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 2,000]** [Leaking Facebook user information to external websites](https://ysamm.com/?p=627) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 500]** [Open redirect in Instagram.com](https://ysamm.com/?p=625) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 1,500]** [Access private information about SparkAR effect owners who has a publicly viewable portfolio](https://ysamm.com/?p=621) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 3,000]** [Make recruiting referrals on behalf of employees](https://ysamm.com/?p=620) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 15 - $ 500]** [Leak of internal categorySets names and employees test accounts.](https://ysamm.com/?p=613) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 15 - $ 1,000]** [Delete linked payments accounts of a Facebook page (or user)](https://ysamm.com/?p=609) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 15 - $ 12,500]** [Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content.
](https://ysamm.com/?p=606) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 15 - $ 500]** [URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs.](https://ysamm.com/?p=603) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 15 - $ 500]** [View orders and financial reports lists for any page shop](https://ysamm.com/?p=597) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 10 - $ ???]** [Sending ephemeral message to any Facebook user](https://servicenger.com/blog/mobile/sending-ephemeral-message-to-any-facebook-user/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Feb 03 - $ 2,000]** [Facebook Messenger Desktop App Arbitrary File Read](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d) by [Renwa](https://twitter.com/RenwaX23)
- **[Feb 02 - $ ???]** [Access developer tasks list of any Facebook Application](https://amineaboud.medium.com/access-developer-tasks-list-of-any-of-facebook-application-graphql-idor-62307c5e5b34) by [Amine Aboud](https://twitter.com/amineaboud)
- **[Feb 02 - $ ???]** [Create a block list in brand safety on behalf of any other user](https://bugreader.com/jubabaghdad@create-a-block-list-in-brand-safety-on-behalf-of-any-other-user-241) by [Sarmad Hassan](https://bugreader.com/jubabaghdad)
- **[Jan 28 - $ 4,000]** [Launching Internal & Non-Exported Deeplinks](https://ash-king.co.uk/blog/Launching-internal-non-exported-deeplinks-on-Facebook) by [Ashley King](https://twitter.com/AshleyKingUK)
- **[Jan 14 - $ 1,000]** [Irremovable Facebook group album photos](https://theshubh77.medium.com/irremovable-facebook-group-album-photos-and-entire-album-under-certain-circumstances-bounty-1000-b1b2a870b8e0) by [Shubham Bhamare](https://twitter.com/theshubh77)
- **[Jan 08 - $ 30,000]** [Create post on any Facebook page](https://www.darabi.me/2020/12/create-invisible-post-on-any-facebook.html) by [Pouya Darabi](https://twitter.com/Pouyadarabi)
- **[Jan 08 - $ ???]** [Facebook: Linkshim protection bypass using fb://webview](https://servicenger.com/blog/mobile/facebook-linkshim-protection-bypass-using-fb-webview/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Jan 04 - $ 5,000]** [Bypass of a FaceBook Page Admin Disclosure](https://savebreach.com/facebook-page-admin-identity-disclosure-through-document-edit-history/) by [Shubham Bhamare](https://twitter.com/theshubh77)
- **[Jan 03 - $ 5,000]** [Expose the email address of Workplace users](https://ysamm.com/?p=588) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 01 - $ 30,000]** [XSS on forums.oculusvr.com](https://ysamm.com/?p=525) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 01 - $ 500]** [Clearing tournament match score as participant](https://bugreader.com/rony@clearing-tournament-match-score-as-participant-237) by [Rony K Roy](https://bugreader.com/rony)
### 2020:-
- **[Dec 31 - $ 10,000]** [Account takeovers in third party websites](https://ysamm.com/?p=510) by [Samm0uda](https://twitter.com/samm0uda)
- **[Dec 31 - $ 500]** [Blocked fundraiser organizer unable to remove themseleves](https://medium.com/bugbountywriteup/facebook-bug-bounty-500-usd-a-blocked-fundraiser-organizer-would-be-unable-to-view-or-remove-5da9f86d2fa0) by [Vivek PS](https://vivekps143.medium.com/)
- **[Dec 26 - $ 1,500]** [Facebook page admin disclosure by "Message Seller" ](https://theshubh77.medium.com/facebook-page-admin-disclosure-by-message-seller-button-bounty-1500-usd-caaa2eac4121) by [Shubham Bhamare](https://twitter.com/TheShubh77)
- **[Dec 20 - $ 13,125]** [How I was able to view anyone’s private email and birthday](https://saugatpokharel.medium.com/this-is-how-i-was-able-to-view-anyones-private-email-and-birthday-on-instagram-1469f44b842b) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[Dec 19 - $ 1,000]** [Finding the hidden members of the private events](https://medium.com/bugbountywriteup/facebook-bug-bounty-finding-the-hidden-members-of-the-private-events-977dc1784ff9) by [Vivek PS](https://vivekps143.medium.com/)
- **[Dec 12 - $ 5,000]** [Confirm an email address belonging to a specific user](https://medium.com/@yaala/confirm-an-email-address-belonging-to-a-specific-user-fe9c305e0af) by [Abdellah Yaala](https://medium.com/@yaala)
- **[Dec 11 - $ 7,500]** [How I hacked Facebook: Part One](https://alaa.blog/2020/12/how-i-hacked-facebook-part-one/) by [Alaa Abdulridha](https://twitter.com/alaa0x2)
- **[Nov 13 - $ 10,000]** [Facebook SSRF](https://medium.com/@amineaboud/10000-facebook-ssrf-bug-bounty-402bd21e58e5) by [Amine Aboud](https://twitter.com/amineaboud)
- **[Nov 13 - $ 500]** [Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity](https://medium.com/@prakashpanta1999/replying-comments-on-someones-livestream-from-page-is-posted-as-personal-identity-5fe79ef78b28) by [Prakash Panta](https://twitter.com/Prakashpanta268)
- **[Nov 13 - $ 16,125]** [How I Found The Facebook Messenger Leaking Access Token Of Million Users](https://medium.com/@guhanraja/how-i-found-the-facebook-messenger-leaking-access-token-of-million-users-8ee4b3f1e5e3) by [Guhan Raja](https://twitter.com/havocgwen)
- **[Nov 13 - $ 500 ]** [Commenting on a post by opening it via page’s news-feed goes from a wrong actor](https://medium.com/@aryalsamipofficial59/commenting-on-a-post-by-opening-it-via-pages-news-feed-goes-from-a-wrong-actor-i-e-56fab4cf5a91) by [Samip Aryal ](https://medium.com/@aryalsamipofficial59/)
- **[Nov 13 - $ 500]** [User’s private videos/saved videos exposed through a messenger call from a locked smartphone.](https://medium.com/@aryalsamipofficial59/users-private-watched-videos-list-saved-videos-etc-30faa8610b33) by [Samip Aryal](https://medium.com/@aryalsamipofficial59)
- **[Nov 10 - $ 1500]** [Facebook iOS address bar spoofing ](https://servicenger.com/blog/mobile/facebook-ios-address-bar-spoofing/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Nov 07 - $ 25,000]** [Facebook DOM Based XSS using postMessage](https://ysamm.com/?p=493) by [Samm0uda](https://twitter.com/samm0uda)
- **[Nov 04 - $ 10,750]** [Delete Any Photos In Facebook](https://lokeshdlk77.medium.com/delete-any-photos-in-facebook-832dbe81cdc4) by [Lokesh Kumar](https://twitter.com/lokeshdlk77)
- **[Nov 02 - $ 4838]** [Reveal the page admin that uploaded a video on the page in comment section](https://lokeshdlk77.medium.com/reveal-the-page-admin-that-uploaded-a-video-on-the-page-in-comment-section-9760e4a31453) by [Lokesh Kumar](https://twitter.com/lokeshdlk77)
- **[Oct 30 - $ ???]** [Ability To Backdoor Facebook For Android](https://ash-king.co.uk/blog/backdoor-android-facebook) by [ Ash King](https://www.facebook.com/Ashley.King.UK)
- **[Oct 21 - $ 2000]** [Perform substring search for emails even if Workplace admin hides email profile field.](https://servicenger.com/blog/mobile/perform-substring-search-for-emails-even-if-workplace-admin-hides-email-profile-field/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Oct 21 - $ 3000]** [Facebook Page Admin Disclosure](https://servicenger.com/blog/mobile/facebook-page-admin-disclosure/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Oct 12 - $ 500]** [Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account](https://medium.com/@mustafa0x2021/disclose-emails-phone-numbers-other-information-for-facebook-users-who-tried-to-add-funds-to-31aea5f973a5) by [Mustafa Ahmed](https://twitter.com/mustafa0x2021)
- **[Oct 05 - $ 500]** [Easy wins : verbose error worth Facebook HOF](https://medium.com/@ironfisto/easy-wins-verbose-error-worth-facebook-hof-7d8a99dd920b) by [Mukul Lohar](https://twitter.com/missoum1307)
- **[Oct 02 - $ 10,000]** [Arbitrary code execution on Facebook for Android through download feature](https://medium.com/@ironfisto/easy-wins-verbose-error-worth-facebook-hof-7d8a99dd920b) by [Mukul Lohar](https://twitter.com/missoum1307)
- **[Sep 30 - $ ???]** [Story of a weird vulnerability I found on Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125) by [Amine Aboud](https://twitter.com/amineaboud)
- **[Sep 15 - $ ???]** [How I Accidentally Got My First Bounty From Facebook ](https://medium.com/bugbountywriteup/how-i-accidentally-got-my-first-bounty-from-facebook-facebook-bug-bounty-2020-c12bd2ad8575) by [Bishal Shrestha](https://twitter.com/bishal0x01)
- **[Sep 12 - $ ???]** [How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM](https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html) by [Orange Tsai](https://twitter.com/orange_8361)
- **[Aug 18 - $ 500]** [How could I Tag Photo to any user’s Scrapbook on Facebook](https://medium.com/bugbountywriteup/how-could-i-tag-photo-to-any-users-scrapbook-on-facebook-23ab15e6e4b4) by [Raja Sudhakar](https://twitter.com/Rajasudhakar)
- **[Aug 14 - $ 6,000]** [Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020](https://medium.com/nassec-cybersecurity-writeups/deleted-data-stored-permanently-on-instagram-facebook-bug-bounty-2020-26074c229955) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[Aug 11 - $ ???]** [Group Admin Can’t Able to Moderate Comments](https://medium.com/@prakashpanta1999/group-admin-cant-able-to-moderate-comments-when-posted-through-page-facebook-bug-bounty-2020-16c2d04a27cb) by [Prakash Panta](https://twitter.com/Prakashpanta268)
- **[Aug 10 - $ ???]** [My 2nd 4digit Bug Bounty From Facebook ](https://medium.com/@sudipshah_66336/my-2nd-4digit-bug-bounty-from-facebook-99baa727ed02) by [Sudip Shah ](https://medium.com/@sudipshah_66336)
- **[Aug 08 - $ 500]** [Reflected XSS in Facebook’s mirror websites](https://medium.com/bugbountywriteup/reflected-xss-in-facebooks-mirror-websites-4384b4eb3e11) by [Sudhanshu Rajbhar](https://twitter.com/sudhanshur705)
- **[July 30 - $ ???]** [Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook](https://medium.com/@ashokcpg/weird-behavior-of-facebook-page-faq-leading-to-bounty-from-facebook-b4984e623b38) by [Ashok Chapagai](https://twitter.com/ashokcpg)
- **[July 27 - $ ???]** [Disclose content of internal Facebook javascript modules](https://ysamm.com/?p=487) by [Samm0uda](https://twitter.com/samm0uda)
- **[July 17 - $ ???]** [Story Of 4 digit bounty](https://medium.com/@sudipshah_66336/the-story-of-my-first-4-digit-bounty-from-facebook-3a29830e03cd) by [Sudip Shah ](https://twitter.com/ashokcpg)
- **[July 02 - $ 1500]** [Browser Anamoly](https://blog.easysiem.com/application-security/case-study-i-browser-anomaly-with-facebook-apps-1500usd) by [easySIEM](https://twitter.com/easySIEM)
- **[July 02 - $ 5500]** [Admin disclosure of Facebook verified pages](https://ysamm.com/?p=479) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 25 - $ ???]** [Hidden Comments](https://medium.com/@saugatpokharel/able-to-create-hidden-comment-by-blocking-an-admin-facebook-bug-bounty-2020-c62bd10712f) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[June 21 - $ ???]** [XSS-On-Facebook](https://medium.com/@win3zz/simple-story-of-some-complicated-xss-on-facebook-8a9c0d80969d) by [Bipin Jitiya](https://twitter.com/win3zz)
- **[June 20 - $ 1500]** [Information Disclosure On Facebook](https://alaa.blog/2020/06/how-did-i-found-information-disclosure-on-facebook-writeup/) by [Alaa Abdulridha](https://twitter.com/Madrid89001310)
- **[June 18 - $ ???]** [Page-Admin-Disclosure](https://medium.com/@saugatpokharel/replying-on-livestream-leading-to-page-admin-disclosure-facebook-bug-bounty-b24792a19638) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[June 14 - $ ???]** [Privilege escalation in Partners Portal to Admin access](https://ysamm.com/?p=460) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 14 - $ ???]** [Disclose the Instagram account linked to a Facebook user account or page](https://ysamm.com/?p=450) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 14 - $ ???]** [Internal directories enumeration in www](https://ysamm.com/?p=458) by [Samm0uda](https://twitter.com/samm0uda)
- **[June 05 - $ ???]** [Delete saved credit cards from any Business Manager Account](https://medium.com/@rohitcoder/idor-delete-saved-credit-cards-from-any-business-manager-account-f28c773982eb) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[June 02 - $ 10000]** [Another image removal vulnerability on Facebook](https://blog.darabi.me/2020/06/image-removal-vulnerability-on-facebook.html) by [Pouya Darabi](https://twitter.com/Pouyadarabi)
- **[May 28 - $ ???]** [How I made $31500 by submitting a bug to Facebook](https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204) by [Bipin Jitiya](https://twitter.com/win3zz)
- **[May 28 - $ ???]** [How I was able to see Private Video Uploader Via Facebook Rights Manager](https://medium.com/@kishoretk/how-i-was-able-to-see-identity-of-a-private-video-up-loader-via-rights-manager-responsible-39d996517b6e) by [Kishore TK](https://twitter.com/kishoretk_off)
- **[May 21- $ ???]** [Cannot Revoke Session on Messenger for Kids](https://medium.com/@saugatpokharel/cannot-revoke-session-on-messenger-for-kids-facebook-bug-bounty-2020-9505ca201ec7) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[May 21 - $ ???]** [Bypassing Message Request inbox](https://medium.com/@yaala/bypassing-message-request-inbox-cf54f859dd25) by [Abdellah Yaala](https://twitter.com/yaalaab)
- **[May 20 - $ ???]** [Change any link at https://fbwat.ch/](https://philippeharewood.com/change-any-link-at-https-fbwat-ch/) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 20 - $ 7500]** [Become member of close & public group](https://medium.com/@yaala/become-member-of-close-public-group-9564c359c050) by [abdellah yaala](https://medium.com/@yaala)
- **[May 18 - $ 1500]** [FB & Messenger for iOS : Address Bar spoofing using data uri](https://servicenger.com/blog/mobile/facebook-for-ios-address-bar-spoofing/) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[May 12 - $ 750]** [Change the profanity filter for any Facebook page](https://philippeharewood.com/change-the-profanity-filter-for-any-facebook-page/) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 07 - $ 20000]** [$20000 Facebook DOM XSS](https://vinothkumar.me/20000-facebook-dom-xss/) by [Vinoth Kumar](https://twitter.com/vinodsparrow)
- **[May 02 - $ ???]** [Private Dashboards were accessible ](https://medium.com/@rohitcoder/private-dashboards-were-accessible-by-other-admins-in-analytics-dashboard-558010a379ab) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[May 02 - $ ???]** [Exposure of Facebook object type by knowing the object ID](https://ysamm.com/?p=444) by [ Samm0uda](https://twitter.com/samm0uda)
- **[May 02 - $ ???]** [Add draft subtitles to any Facebook video and Full Path Disclosure](https://ysamm.com/?p=437) by [Samm0uda](https://twitter.com/samm0uda)
- **[Apr 16 - $ 750]** [Recieving instagram notifications after Logout](https://fadhilthomas.github.io/facebook-white-hat-01/) by [Jane Manchun Wong](https://twitter.com/wongmjane)
- **[Apr 04 - $ ???]** [Cannot Delete Post on Facebook Group: Facebook Bug Bounty](https://medium.com/@saugatpokharel/cannot-delete-post-on-facebook-group-facebook-bug-bounty-4f2661655c3a) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[Apr 01 - $ ???]** [The story of my first ever, $xxxx](https://medium.com/@ashokcpg/the-story-of-my-first-ever-1500-bounty-from-facebook-49eb64d26160) by [Ashok Chapagai](https://twitter.com/ashokcpg)
- **[Mar 14 - $ ???]** [Blocked User Can Send Notification Due to Logical Bug](https://medium.com/bugbountywriteup/blocked-user-can-send-notification-due-to-logical-bug-in-instagram-first-instagram-bug-2bd09aa52f14) by [Divyanshu Shukla
](https://medium.com/@justm0rph3u5)
- **[Mar 13 - $ ???]** [Generate valid signatures for FBCDN urls](https://philippeharewood.com/generate-valid-signatures-for-fbcdn-urls/) by [Philippe Harewood](https://twitter.com/ashokcpg)
- **[Mar 11 - $ ???]** [Generate valid signatures for files hosted in Facebook CDNs](https://ysamm.com/?p=404) by [Samm0uda](https://twitter.com/samm0uda)
- **[Mar 11 - $ ???]** [Ability to bruteforce Instagram account’s password due to lack of rate limitation protection](https://ysamm.com/?p=396) by [Samm0uda](https://twitter.com/samm0uda)
- **[Mar 01- $ 55,000]** [Facebook OAuth Framework Vulnerability](https://www.amolbaikar.com/facebook-oauth-framework-vulnerability/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Feb 29 - $ 3000]** [Page Admin Disclosure via an Upgraded Page Post](https://medium.com/@timpaxerror/page-admin-disclosure-via-an-upgraded-page-post-57863fb02c50) by [dw1](https://twitter.com/0x61_)
- **[Feb 28 - $ 12,500]** [Facebook CSRF bug which lead to Instagram Partial account takeover.](https://ysamm.com/?p=379) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 17 - $ 500]** [Open-redirect Vulnerability on Facebook](https://medium.com/@dwi.siswanto98/open-redirect-on-facebook-bypass-linkshim-4050f680d45c) by [Ashok Chapagai](https://medium.com/@dwi.siswanto98)
- **[Feb 08 - $ ???]** [Determine users with detailed role model on behalf of any Facebook Application](https://www.amolbaikar.com/determine-users-with-detailed-role-model-on-behalf-of-any-facebook-application/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Feb 04 - $ ???]** [Allowing Read From The File System Access](https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/) by [Ashok Chapagai](https://twitter.com/ashokcpg)
- **[Feb 02 - $ ???]** [Disclose Full Admin List of any Facebook Applications](https://www.amolbaikar.com/disclose-full-admin-list-of-any-facebook-applications/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Jan 26 - $ ???]** [XSS on Facebook-Instagram CDN Server bypassing signature protection](https://www.amolbaikar.com/xss-on-facebook-instagram-cdn-server-bypassing-signature-protection/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Jan 26 - $ ???]** [Disclose Facebook Business Account ID](https://www.amolbaikar.com/disclose-facebook-business-account-id/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Jan 26 - $ ???]** [XSS on Facebook’s acquisition Oculus CDN Server](https://www.amolbaikar.com/xss-on-facebooks-acquisition-oculus-cdn-server/) by [Amol Baikar](https://twitter.com/AmolBaikar)
- **[Jan 23 - $ 12,500]** [Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover](https://ysamm.com/?p=363) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ 500]** [Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic](https://medium.com/@ritishkumarsingh/facebook-vulnerability-hidden-community-manager-in-pages-due-to-invitation-accept-logic-61ddbe229c97) by [Ritish Kumar Singh](https://medium.com/@ritishkumarsingh)
### 2019:
- **[Dec 29 - $ ???]** [Information Disclosure Bug](https://medium.com/bug-bounty-hunting/facebook-bug-bounty-story-x000-for-an-information-disclosure-bug-f0c0d19d7815) by [Circle Ninja](https://twitter.com/circleninja)
- **[Dec 26 - $ ???]** [Bypassing Brand Collabs Manager Eligibility on Facebook](https://medium.com/nassec-cybersecurity-writeups/this-is-how-i-got-xxxx-from-facebook-for-instagram-bug-aaff50342246) by [Ajay Gautam](https://twitter.com/evilboyajay)
- **[Dec 13 - $ ???]** [Facebook New Account Verification Bypass](https://medium.com/@santoshbrl5/facebook-new-account-verification-bypass-c589017f2faf) by [Santosh Baral](https://twitter.com/santoshbrl5)
- **[Dec 09 - $ 3,000]** [Media deletion CSRF vulnerability on Instagram](https://blog.darabi.me/2019/12/instagram-delete-media-csrf.html) by [Pouya Darabi](https://twitter.com/Pouyadarabi)
- **[Nov 27 - $ 5,000]** [Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge](https://ysamm.com/?p=343) by [Samm0uda](https://twitter.com/samm0uda)
- **[Nov 21 - $ 1,000]** [Disable Any Unconfirmed Account in Facebook](https://medium.com/@lokeshdlk77/disable-any-unconfirmed-account-in-facebook-123aeba19426) by [Lokesh Kumar](https://twitter.com/lokeshdlk77)
- **[Nov 20 - $ ???]** [Delete Facebook Ask for Recommendations post’s place objects in comments](https://medium.com/@rajasudhakar/how-i-could-delete-facebook-ask-for-recommendations-posts-place-objects-in-comments-b7c9bcdf1c92) by [Raja Sudhakar](https://twitter.com/Rajasudhakar)
- **[Nov 19 - $ ???]** [Disclose the owner of a recruiting manager in Jobs Beta](https://philippeharewood.com/disclose-the-owner-of-a-recruiting-manager-in-jobs-beta/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Nov 16 - $ ???]** [View the ranked messenger users for any page](https://philippeharewood.com/view-the-ranked-messenger-users-for-any-page/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 30 - $ 500]** [Live Video facebook application (Android) its not expired when log out](https://medium.com/@naufalseptiadi/live-video-facebook-application-android-its-not-expired-when-log-out-the-device-on-4d4e0b67b362) by [Naufal Septiadi](https://www.linkedin.com/in/naufal-septiadi/)
- **[Oct 28 - $ ???]** [Crash web — app through application form of job application pages](https://medium.com/@tiendat253/writeup-fb-crash-web-app-through-application-form-of-job-application-pages-405fa3def937) by [TienDat](https://medium.com/@tiendat253)
- **[Oct 24 - $ 1,500]** [Session Expiration Bypass in Facebook Creator App](https://medium.com/@evilboyajay/session-expiration-bypass-in-facebook-creator-app-b4f65cc64ce4) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 22 - $ 3,000]** [Disclose members in any closed Facebook group](https://medium.com/@edmundaa222/poc-disclose-members-in-any-closed-facebook-group-259783fa4bf) by [Ahmad Talahmeh](https://medium.com/@edmundaa222)
- **[Oct 17 - $ ???]** [1-800-Flowers Credentials and message log leak via facebook.com/facebook](https://philippeharewood.com/1-800-flowers-credentials-and-message-log-leak-via-facebook-com-facebook/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 15 - $ 500]** [Disclosure the verified phone number in Checkpoint.](https://medium.com/@tiendat253/writeup-bugbounty-facebook-disclosure-the-verified-phone-number-in-checkpoint-aa652faeaf21) by [TienDat](https://medium.com/@tiendat253)
- **[Oct 12 - $ ???]** [Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts.](https://medium.com/@rohitcoder/whitehat-test-accounts-can-act-as-hidden-admin-with-business-manager-ad-accounts-ce75ead5ffff) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[Sep 21 - $ 500]** [Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public](https://medium.com/bugbountywriteup/facebook-workplace-privilege-escalation-vulnerability-to-change-the-post-privacy-as-public-634f1c995780) by [Guhan Raja](https://twitter.com/havocgwen)
- **[Sep 20 - $ ???]** [Business ID leak via Creative Hub redirect](https://philippeharewood.com/business-id-leak-via-creative-hub-redirect/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Sep 13 - $ ???]** [How two dead accounts allowed remote crash of any instagram android user](https://www.valbrux.it/blog/2019/09/13/how-two-dead-users-allowed-remote-crash-of-any-instagram-android-user/) by [Valbrux](https://www.twitter.com/val_brux)
- **[Sep 12 - $ ???]** [Facebook employee internal tool and conversations leaked in Facebook video](https://philippeharewood.com/facebook-employee-internal-tool-and-conversations-and-leaked-in-facebook-video/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Sep 12 - $ ???]** [Add users to roles on Facebook pages without an invitation consent](https://philippeharewood.com/add-users-to-roles-on-facebook-pages-without-an-invitation-consent/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Sep 10 - $ ???]** [Subscribe to the list of requesters to join a Facebook live video using MQTT](https://philippeharewood.com/subscribe-to-the-list-of-requesters-to-join-a-facebook-live-video-using-mqtt/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Sep 09 - $ 750]** [Oculus identity verification bypass through brute-force](https://medium.com/@karthiksoft007/oculus-identity-verification-bypass-through-brute-force-dbd0c0d3c37e) by [karthik kumar reddy](https://twitter.com/karthiksunny007)
- **[Sep 02 - $ 1,000]** [HTML to PDF converter bug leads to RCE in Facebook server](https://ysamm.com/?pd=280) by [Samm0uda](https://twitter.com/samm0uda)
- **[Aug 26 - $ 10,000]** [How I Hacked Instagram Again](https://thezerohack.com/hack-instagram-again) by [Laxman Muthiyah](https://twitter.com/LaxmanMuthiyah)
- **[Aug 24- $ ???]** [Create living room polls as a Facebook page analyst](https://philippeharewood.com/create-living-room-polls-as-a-facebook-page-analyst/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 22 - $ ???]** [Rights Manager Graph API Disclosure of business employee to non business employee](https://www.updatelap.com/2019/08/Rights-Manager-Graph-API-Disclosure-of-business-employee-to-non-business-employee.html) by [Jafar_Abo_Nada](https://twitter.com/Jafar_Abo_Nada)
- **[Aug 21 - $ 500]** [Instagram account is reactivated without entering 2FA ($500)](https://bugbountypoc.com/instagram-account-is-reactivated-without-entering-2fa/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 21 - $ ???]** [Sending Message as page being an analyst/ advertiser](https://medium.com/@aayushpokhrel/how-i-made-my-first-from-finding-a-bug-in-facebook-da3b11e550f0) by [Baibhav Anand](https://twitter.com/SpongeBhav)
- **[Aug 19 - $ ???]** [Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device](https://medium.com/@ar_arvind/facebook-bug-bounty-reading-whatsapp-contacts-list-without-unlocking-the-device-a40e9c660a42) by [Arvind](https://medium.com/@ar_arvind)
- **[Aug 19 - $ 2,500]** [Removing profile pictures for any Facebook user](https://philippeharewood.com/removing-profile-pictures-for-any-facebook-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 18 - $ ???]** [Add users to roles on Facebook pages without an invitation consent (revisited)](https://philippeharewood.com/add-users-to-roles-on-facebook-pages-without-an-invitation-consent-revisited/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 15- $ ???]** [ByPassing fix of Domain Blocking feature in Business Manager](https://medium.com/@rohitcoder/bypassing-fix-of-domain-blocking-feature-in-business-manager-41949a18460c) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[Aug 15 - $ ???]** [Facebook Messenger exposing deleted messages using](https://medium.com/@renwa/facebook-messenger-disclosing-deleted-messages-that-has-been-deleted-by-remove-for-everyone-1fb5a52cc7df) by [Renwa](https://twitter.com/RenwaX23/)
- **[Aug 01 - $ ???]** [Download predictions details of ads plans of any business.](https://ysamm.com/?p=291) by [Samm0uda](https://twitter.com/samm0uda)
- **[Aug 01 - $ ???]** [Internal path disclosure in Instagram server](https://ysamm.com/?p=321) by [Samm0uda](https://twitter.com/samm0uda)
- **[Aug 01 - $ ???]** [Access portal of Facebook mobile retailers and see earnings and referrals reports.](https://ysamm.com/?p=314) by [Samm0uda](https://twitter.com/samm0uda)
- **[Aug 01 - $ ???]** [View orders and financial reports lists for any page shop](https://ysamm.com/?p=281) by [Samm0uda](https://twitter.com/samm0uda)
- **[July 26- $ ???]** [Instagram bug disclosing user’s phone number via checkpoint](https://pwnsec.ninja/2019/07/26/facebook-bugbounty-tale-of-an-instagram-bug-disclosing-users-phone-number-via-checkpoint/) by [Bijan Murmu](https://twitter.com/0xBijan)
- **[July 21 - $ ???]** [Subscribe to typing notifications for any Instagram user](https://philippeharewood.com/subscribe-to-typing-notifications-for-any-instagram-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[July 20 - $ ???]** [Get Page Inbox notifications for any Facebook page](https://philippeharewood.com/get-page-inbox-notifications-for-any-facebook-page/) by [Philippe Harewood](https://twitter.com/phwd)
- **[July 17 - $ 500]** [How Recon helped me to to find a Facebook domain takeover](https://medium.com/@sudhanshur705/how-recon-helped-me-to-to-find-a-facebook-domain-takeover-58163de0e7d5) by [Sudhanshu Rajbhar](https://twitter.com/sudhanshur705)
- **[July 16 - $ 3,000]** [CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook](https://medium.com/@lokeshdlk77/csrf-email-confirmation-vulnerability-for-gmail-g-suite-in-facebook-5ab551a0a526) by [Lokesh Kumar](https://twitter.com/lokeshdlk77)
- **[July 15 - $ ???]** [Sending messages as a page with jobmanager permission](https://medium.com/@0x01devansh/facebook-bug-sending-messages-as-a-page-with-jobmanager-permission-763dc0d8e32c) by [Devansh batham](https://twitter.com/devanshwolf)
- **[July 14 - $ 30,000]** [How I Could Have Hacked Any Instagram Account](https://thezerohack.com/hack-any-instagram#articlescroll) by [Laxman Muthiyah](https://twitter.com/LaxmanMuthiyah)
- **[July 12 - $ 500]** [Facebook Bug bounty page admin disclose bug](https://medium.com/@yusuffurkan/facebook-bug-bounty-page-admin-disclose-bug-facebook-android-app-c0fa50459177) by [Yusuf Furkan](https://twitter.com/h1_yusuf)
- **[July 04 - $ 2000]** [This is how I managed to win $2000 through Facebook Bug Bounty](https://medium.com/@saugatpokharel/this-is-how-i-managed-to-win-2000-through-facebook-bug-bounty-a7d531d5097e) by [Saugat Pokharel](https://twitter.com/saugatpk5)
- **[July 04 - $ 500]** [Unremovable Co-Host in facebook page events](https://medium.com/@ritishkumarsingh/facebook-vulnerability-unremovable-co-host-in-facebook-page-events-695729d6a09d) by [Ritish Kumar Singh](https://medium.com/@ritishkumarsingh)
- **[June 28 - $ ???]** [Page admin disclosure](https://pwnsec.ninja/2019/06/28/facebook-bugbounty-short-story-on-page-admin-disclosure/) by [Bijan Murmu](https://twitter.com/0xBijan)
- **[June 26 - $ ???]** [Toggle Group Rules Agreement as a non-member](https://philippeharewood.com/toggle-group-rules-agreement-as-a-non-member/) by [Philippe Harewood](https://twitter.com/phwd)
- **[June 24 - $ ???]** [Download .arexport files for any public AR Studio Effect](https://philippeharewood.com/download-arexport-files-for-any-public-ar-studio-effect/) by [Philippe Harewood](https://twitter.com/phwd)
- **[June 22 - $ ???]** [Page Admin Disclosure](https://medium.com/@evilboyajay/page-admin-disclosure-facebook-bug-bounty-2019-ee9920e768eb) by [Ajay Gautam](https://twitter.com/evilboyajay)
- **[June 17 - $ 500]** [Business user Employees could have applied block list to all ad accounts listed in the business manager.](https://medium.com/@rohitcoder/business-user-employees-can-add-edit-change-or-apply-block-list-to-a-business-account-7b3e8aae667e) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[June 11 - $ 1,500]** [Facebook Vulnerability: Non-unfriendable user in /hacked workflow](https://medium.com/@ritishkumarsingh/facebook-vulnerability-non-unfriendable-user-in-hacked-workflow-5a3b392a2a98) by [Ritish Kumar Singh](https://medium.com/@ritishkumarsingh)
- **[May 27- $ ???]** [View Facebook payouts for any Facebook Trivia Game](https://philippeharewood.com/view-f0xBijan) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 25 - $ ???]** [Disclose files content from Facebook internal CDNs](https://ysamm.com/?p=272) by [Samm0uda](https://twitter.com/samm0uda)
- **[May 22 - $ 1,000]** [Determine a Facebook user from an email address](https://philippeharewood.com/determine-a-user-from-an-email-address) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 17 - $ 500]** [Bypassing Instagram’s stories restriction](https://medium.com/@baibhavanandjha/bypassing-instagrams-stories-restriction-5936f8a4f079) by [Baibhav Anand](https://twitter.com/iBaibhavJha)
- **[Apr 30 - $ 3,000]** [Facebook’s URL spoofing vulnerability](https://medium.com/@kankrale.rahul/from-na-to-3000-facebooks-url-spoofing-vulnerability-b4be1a3c63b1) by [Rahul Kankrale](https://twitter.com/RahulKankrale)
- **[Apr 23 - $ 5,000]** [Facebook’s Burglary Shopping List](https://www.7elements.co.uk/resources/blog/facebooks-burglary-shopping-list/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Apr 22 - $ ???]** [Disclose the content of internal Facebook Javascript modules.](https://ysamm.com/?p=256) by [John Moss](https://twitter.com/x41x41x41)
- **[Apr 02 - $ 1,000]** [Hiding from Facebook Page Admin(s) in /hacked workflow](https://medium.com/@ritishkumarsingh/https-medium-com-ritishkumarsingh-facebook-vulnerability-hiding-from-facebook-page-admin-in-hacked-workflow-86f366f183c6) by [Ritish Kumar Singh](https://medium.com/@ritishkumarsingh)
- **[Apr 01 - $ ???]** [How I was able to get your facebook private friend list ](https://medium.com/@rajsek/how-i-was-able-to-get-your-facebook-private-friend-list-responsible-disclosure-91984606e682) by [Raja Sekar Durairaj](https://medium.com/@rajsek)
- **[Mar 24 - $ 500]** [Facebook Marketing Confidential Call Transcript](https://philippeharewood.com/facebook-marketing-confidential-call-transcript/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 19 - $ 10,000]** [Denial of service in Facebook Fizz due to integer overflow](https://lgtm.com/blog/facebook_fizz_CVE-2019-3560) by [kevin_backhouse](https://twitter.com/kevin_backhouse)
- **[Mar 19 - $ 750]** [DoS Across Facebook Endpoints](https://medium.com/@maxpasqua/dos-across-facebook-endpoints-1d7d0bc27c7f) by [Max Pasqua](https://medium.com/@maxpasqua)
- **[Mar 16 - $ 4,000]** [Disclosure of Pending Roles for any Facebook Page](https://medium.com/@avinash_/disclosure-of-pending-roles-for-any-facebook-page-ab6e4e219f8e) by [Avinash Kumar](https://twitter.com/itsavinash_)
- **[Mar 11 - $ 1,000]** [CVE-2018-16794 on fs.thefacebook.com](https://philippeharewood.com/cve-2018-16794-on-fs-thefacebook-com/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 07 - $ ???]** [Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack](https://www.imperva.com/blog/mapping-communication-between-facebook-accounts-using-a-browser-based-side-channel-attack/) by [Ron Masas](https://ronmasas.com/)
- **[Mar 06 - $ ???]** [Facebook Messenger server random memory exposure through corrupted GIF image](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) by [Dzmitry Lukyanenka](https://twitter.com/vulnano)
- **[Mar 05 - $ 1,000]** [Facebook exploit – Confirm website visitor identities](http://www.tomanthony.co.uk/blog/facebook-bug-confirm-user-identities/) by [Tom Anthony](https://twitter.com/TomAnthonySEO)
- **[Feb 16 - $ ???]** [Bypass password confirmation in Facebook “DYI” feature](https://ysamm.com/?p=240) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 16 - $ 1,000]** [Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk](https://medium.com/@rohitcoder/facebook-workplace-bug-exposed-offsite-employee-events-sensitive-emails-putting-employees-at-risk-813d77a0c0ab) by [Rohit kumar](https://twitter.com/rohitcoder)
- **[Feb 14 - $ ???]** [Third Party Android App Storing Facebook Data Insecurely](https://wwws.nightwatchcybersecurity.com/2019/02/14/third-party-android-app-storing-facebook-data-insecurely/) by [Nightwatch Cybersecurity](https://twitter.com/nightwatchcyber)
- **[Feb 13- $ 15,000]** [Disclose private attachments in Facebook Messenger Infrastructure](https://medium.com/bugbountywriteup/disclose-private-attachments-in-facebook-messenger-infrastructure-15-000-ae13602aa486) by [Sarmad Hassan](https://twitter.com/JubaBaghdad)
- **[Feb 12 - $ 25,000]** [Facebook CSRF protection bypass which leads to Account Takeover](https://ysamm.com/?p=185) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 12 - $ ???]** [Export Facebook audience network reports of any business](https://ysamm.com/?p=21) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 07 - $ ???]** [Internal paths disclosure due to improper exception handling](https://ysamm.com/?p=158) by [Samm0uda](https://twitter.com/samm0uda)
- **[Feb 07 - $ ???]** [Leak of private/in-development app ids, names and translation requests](https://ysamm.com/?p=171) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 25 - $ ???]** [Facebook Change Product Availability as a PageAnalyst](https://www.symbo1.com/articles/2019/01/25/fb-change-product-availability-as-pageanalyst.html) by [onehackzero](https://www.symbo1.com)
- **[Jan 22 - $ ???]** [Enroll in Facebook Ad-break program without Facebook approval](https://ysamm.com/?p=68) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Disclose page’s admins and its Monetization payout details](https://ysamm.com/?p=60) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Disclose page violations and its eligibility to use Ad-breaks](https://ysamm.com/?p=64) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Disclose Instagram business account linked to a Facebook page](https://ysamm.com/?p=56) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Change payment account of any Facebook commerce page](https://ysamm.com/?p=50) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Expose business email and payment account balance of any Facebook commerce page.](https://ysamm.com/?p=45) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Reveal if a Facebook merchant page has pending or completed orders](https://ysamm.com/?p=42) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Lack of rate limiting protection](https://ysamm.com/?p=38) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Generate Access Tokens for any Facebook user](https://ysamm.com/?p=35) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Modify users profiles of techprep.fb.com](https://ysamm.com/?p=30) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 22 - $ ???]** [Uploading files to api.techprep.fb.com](https://ysamm.com/?p=12) by [Samm0uda](https://twitter.com/samm0uda)
- **[Jan 15 - $ 500]** [Unremovable facebook group admin](https://medium.com/@ritishkumarsingh/facebook-vulnerability-unremovable-facebook-group-admin-2cbf4faf55c1) by [Ritish Kumar Singh](https://medium.com/@ritishkumarsingh)
- **[Jan 13 - $ ???]** [Hack Your Form – New vector for Blind XSS](https://generaleg0x01.com/2019/01/13/hackyourform-bxss/) by [Youssef A. Mohamed](https://twitter.com/GeneralEG64)
- **[Jan 11 - $ ???]** [Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty](https://medium.com/@evilboyajay/workplace-logo-id-to-workplace-owner-name-disclosurefacebook-bug-bounty-e745db59d0bd) by [Ajay Gautam](https://twitter.com/evilboyajay)
- **[Jan 11 - $ ???]** [Facebook PageAnalyst Could Add oneself as Moderator on Group](https://www.symbo1.com/articles/2019/01/11/fb-pageanalyst-could-add-oneself-as-moderator-on-group.html) by [onehackzero](https://www.symbo1.com)
- **[Jan 08 - $ ???]** [View the contact list for a Messenger Kid as a parent-approved contact](https://philippeharewood.com/view-the-contact-list-for-a-messenger-kid-as-a-parent-approved-contact/) by [Ash King](https://twitter.com/phwd)
- **[Jan 05 - $ 750]** [Facebook Android Application](https://www.ash-king.co.uk/downloading-any-file-via-facebook-android.html) by [ Ash King](https://www.facebook.com/Ashley.King.UK)
- **[Jan 04 - $ 1,000]** [Stealing Side-Channel Attack Tokens in Facebook Account Switcher](https://medium.com/@maxpasqua/stealing-side-channel-attack-tokens-in-facebook-account-switcher-90c5944e3b58) by [Max Pasqua](https://medium.com/@maxpasqua)
### 2018:
- **[Oct 09 - $ ???]** [Facebook-Business-Takeover](https://philippeharewood.com/facebook-business-takeover/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 22 - $ ???]** [Send-Payment-Invoices-As-Any-Facebook-Page](https://philippeharewood.com/send-payment-invoices-as-any-facebook-page/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 09 - $ 5,000]** [Remote Code Execution on a Facebook server](https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/) by [Sec team](https://blog.scrt.ch/)
- **[Jul 24 - $ ???]** [Disclose-Page-Admins-Via-Gaming-Dashboard-Bans](https://philippeharewood.com/disclose-page-admins-via-gaming-dashboard-bans/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jul 18 - $ ???]** [Determine-Members-In-A-Closed-Facebook-Group](https://philippeharewood.com/determine-members-in-a-closed-facebook-group/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jul 12 - $ ???]** [Application-Secret-Embedded-In-Login-Flow-For-Facebook-Swag-Store](https://philippeharewood.com/application-secret-embedded-in-login-flow-for-facebook-swag-store/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jun 13 - $ ???]** [Disclose-Page-Admins-Via-Job-Source-Recruiter-Requests](https://philippeharewood.com/disclose-page-admins-via-job-source-recruiter-requests/) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 23 - $ 500]** [Toggling comment option of a post in a linked group as an analyst.](https://asad0x01.blogspot.com/2018/05/toggling-comment-option-of-post.html) by [asad0x01](https://asad0x01.blogspot.com)
- **[May 17 - $ 750]** [Make products Out of Stock in Facebook Pages](http://whitehatstories.blogspot.com/2018/05/how-i-could-have-made-your-products-out.html) by [Neeraj Gopal](http://whitehatstories.blogspot.com)
- **[Apr 01 - $ 500]** [Leaking of page store details](http://whitehatstories.blogspot.com/2018/04/hi-this-post-is-regarding-one-of-my.html) by [Neeraj Gopal](http://whitehatstories.blogspot.com)
- **[Mar 31 - $ 3000]** [Setting up tests for any App](http://whitehatstories.blogspot.com/2018/03/setting-up-tests-for-any-app-or-pixel.html) by [Neeraj Gopal](http://whitehatstories.blogspot.com)
- **[Mar 27 - $ ???]** [Disclose-Page-Admins-Via-Watch-Parties-In-A-Facebook-Group](https://philippeharewood.com/disclose-page-admins-via-watch-parties-in-a-facebook-group/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 16 - $ 1000]** [See unpublished jobs of any page.](https://asad0x01.blogspot.com/2018/03/see-unpublished-job-of-any-page.html) by [asad0x01](https://asad0x01.blogspot.com)
- **[Mar 16 - $ ???]** [View-Facebook-Friends-For-Any-User](https://philippeharewood.com/view-facebook-friends-for-any-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 15 - $ ???]** [Disclose-Facebook-Page-Admins-Via-Facebook-Camera-Effects](https://philippeharewood.com/disclose-page-admins-via-facebook-camera-effects/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 16 - $ ???]** [View-Private-Instagram-Photos](https://philippeharewood.com/view-private-instagram-photos/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 13 - $ ???]** [View-The-Facebook-Stories-For-Any-Media-Effect](https://philippeharewood.com/view-the-facebook-stories-for-any-media-effect/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 10 - $ ???]** [Access to FBConnections](https://philippeharewood.com/access-to-fbconnections/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Feb 24 - $ 1,500]** [How I was able to delete any image in Facebook community](https://medium.com/@JubaBaghdad/how-i-was-able-to-delete-any-image-in-facebook-community-question-forum-a03ea516e327) by [Sarmad Hassan ](https://twitter.com/JubaBaghdad)
- **[Feb 23 - $ ???]** [Disclose-Facebook-Page-Admins-In-3d](https://philippeharewood.com/disclose-facebook-page-admins-in-3d/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Feb 21 - $ ???]** [Change-The-Background-Of-3d-Posts-For-Any-Facebook-User](https://philippeharewood.com/change-the-background-of-3d-posts-for-any-facebook-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Feb 11 - $ ???]** [Create-Learning-Units-For-Any-Group](https://philippeharewood.com/create-learning-units-for-any-group/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 22 - $ ???]** [Path-Disclosure-In-Instagram-Ads-Graphql](https://philippeharewood.com/path-disclosure-in-instagram-ads-graphql/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 16 - $ ???]** [View-The-Vr-Experiences-For-Any-Oculus-User](https://philippeharewood.com/view-the-vr-experiences-for-any-oculus-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 15 - $ ???]** [View-The-Email-Subscriptions-For-Any-Oculus-User](https://philippeharewood.com/view-the-email-subscriptions-for-any-oculus-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 15 - $ ???]** [View-The-Bug-Subscriptions-For-Any-Oculus-User](https://philippeharewood.com/view-the-bug-subscriptions-for-any-oculus-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 10 - $ ???]** [Unintended-Control-Over-The-Email-Body-In-Partner-Integration-Email-Instructions/](https://philippeharewood.com/unintended-control-over-the-email-body-in-partner-integration-email-instructions/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 05 - $ ???]** [Disclose-Page-Admins-Via-Our-Story-Feature](https://philippeharewood.com/disclose-page-admins-via-our-story-feature/) by [Philippe Harewood](https://twitter.com/phwd)
### 2017:
- **[Dec 26 - $ ???]** [Facebook-Ad-Spend-Details-Leaking-For-Facebook-Marketing](https://philippeharewood.com/facebook-ad-spend-details-leaking-for-facebook-marketing-partners/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Dec 21 - $ ???]** [Searching-Internal-Gatekeeper-Constants](https://philippeharewood.com/searching-internal-gatekeeper-constants/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 24 - $ ???]** [Make-Recruiting-Referrals-On-Behalf-Of-Facebook](https://philippeharewood.com/make-recruiting-referrals-on-behalf-of-facebook/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 26 - $ ???]** [Posting-Gifs-As-Anyone-On-Facebook](https://philippeharewood.com/posting-gifs-as-anyone-on-facebook/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 11 - $ ???]** [View-Former-Members-Of-A-Facebook-Group](https://philippeharewood.com/view-former-members-of-a-facebook-group/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Oct 08 - $ ???]** [Facebook-Graphql-Csrf](https://philippeharewood.com/facebook-graphql-csrf/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Sep 18 - $ ???]** [Disclose-Users-With-Roles-On-Facebook-Pages](https://philippeharewood.com/disclose-users-with-roles-on-facebook-pages/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Aug 24 - $ ???]** [Facebook-Stories-Disclose-Facebook-Friend-List](https://philippeharewood.com/facebook-stories-disclose-facebook-friend-list/) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 11 - $ ???]** [Find-Mingle-Suggestions-For-Any-Facebook-User-Revisited](https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user-revisited/) by [Philippe Harewood](https://twitter.com/phwd)
- **[May 08 - $ ???]** [Determine-A-User-From-A-Private-Phone-Number](https://philippeharewood.com/determine-a-user-from-a-private-phone-number/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Mar 24 - $ ???]** [Find-Instagram-Contacts-For-Any-User-On-Facebook](https://philippeharewood.com/find-instagram-contacts-for-any-user-on-facebook/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Feb 02 - $ ???]** [Find-Mingle-Suggestions-For-Any-Facebook-User](https://philippeharewood.com/find-mingle-suggestions-for-any-facebook-user/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 20 - $ ???]** [Delete-A-Hotel-Object-From-A-Facebook-Product-Catalog](https://philippeharewood.com/delete-a-hotel-object-from-a-facebook-product-catalog-using-public_profile-permission/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 04 - $ ???]** [See-If-Any-Facebook-User-Is-Marked-In-A-Crisis](https://philippeharewood.com/see-if-any-facebook-user-is-marked-in-a-crisis/) by [Philippe Harewood](https://twitter.com/phwd)
- **[Jan 04 - $ ???]** [Order-Facebook-Friends-By-Facebook-Recruiting-Technical-Coefficient](https://philippeharewood.com/order-facebook-friends-by-facebook-recruiting-technical-coefficient/) by [Philippe Harewood](https://twitter.com/phwd)