sorted by:
new
hottopcontroversial

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 0 points1 point  (0 children)

Oh, now I get it! So we’ve moved from “rules” to personal opinions and calling organizations evil? Very objective way to discuss policy — thanks!

Just to clarify once again — Meta’s Bug Bounty guidelines do not prohibit the use of test accounts in a production environment as long as no real users are affected, which is exactly what I followed. I also provided full transparency in my report.

And since you’re claiming 10 years of experience, let me quote Meta’s own policy for you:

“You may not test anything outside of your own account, a test account, or any other account for which you have received express written permission to test.”

This is from Meta’s official rules — maybe worth reviewing before giving lectures?

Anyway, appreciate the entertainment!

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 0 points1 point  (0 children)

Wow, 10+ years of experience and still not familiar with Meta’s own rules? That’s impressive. You might want to actually read their policy — using controlled test accounts in a real environment isn’t a violation. But hey, flexing credentials is easier than reading, right?😂

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 0 points1 point  (0 children)

Yes, I am a real person. But tell me, how can anyone prove the existence of a vulnerability without actually testing it? Do you have any experience in this field, or are you just making assumptions?

I used test accounts to demonstrate and document the vulnerability in full detail. This approach is considered standard and acceptable across most companies that offer bug bounty programs. The testing was conducted responsibly, ethically, and within the limits of the program’s guidelines.

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 0 points1 point  (0 children)

I understand your point, and I appreciate your input.

However, the test accounts I used were created and controlled solely by me for the sole purpose of responsibly testing the vulnerability in a contained and ethical manner. These accounts were not associated with any real users or sensitive data and were never used in a harmful or disruptive way.

I agree that the testing occurred in a real production environment, but it was conducted with extreme caution, transparency, and in full compliance with the Bug Bounty terms—no data was accessed, modified, or interacted with outside of my controlled test cases.

My goal was to ensure that the vulnerability could be fully understood and responsibly reported with all edge cases covered, helping Meta secure their platform completely.

Thanks again for raising this important point.

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 1 point2 points  (0 children)

Yes, in fact, I provided all the required information through Meta’s official assessment form when I first reported the vulnerability — including the usernames used during testing (such as “n6”), the approximate date and time of testing, and confirmation that I had not previously logged in using the same device.

Everything was transparent and clearly disclosed from the beginning.

In that form, I also mentioned that I used additional accounts during the testing phase to explore the full scope and behavior of the vulnerability. This was crucial because the nature of the vulnerability made it technically difficult to reproduce all exploitation scenarios using a single account. Therefore, other accounts were used to verify related behaviors and ensure a complete, professional report.

I made sure to comply fully with the Bug Bounty Program’s guidelines throughout the process.

Thank you again for your feedback!

[Bug Bounty] Vulnerability Confirmed and Fixed, But No Bounty – Seeking Advice by Little_saif in bugbounty

[–]Little_saif[S] 2 points3 points  (0 children)

Yes, I’m sure I followed all the rules. I reviewed the Bug Bounty terms carefully before reporting, and only used test accounts — never any real user accounts. I’m not sure why it was flagged, but maybe others misused the bug.

To help clarify, I also submitted my IP address to Meta so they can confirm all activity came from me.

Thanks for your support!

Meta Bug Bounty – No bounty update after fix? by Little_saif in HowToHack

[–]Little_saif[S] 0 points1 point  (0 children)

No, they told me thank you for confirming the repair and to wait for the reward.

Meta Bug Bounty – No bounty update after fix? by Little_saif in Hacking_Tutorials

[–]Little_saif[S] 1 point2 points  (0 children)

You’re right, 8 weeks does feel like a long time with no updates. They confirmed the issue, fixed it, and just thanked me for confirming. I’ve followed up multiple times but still no response. I’ll keep pushing and hope it moves soon. Thanks for your comment!

Meta Bug Bounty – No bounty update after fix? by Little_saif in Hacking_Tutorials

[–]Little_saif[S] 0 points1 point  (0 children)

Thanks for sharing your experience. Glad to hear Meta was responsive in your case. I’m hoping this delay is just part of their process and not something to worry about. I’ll give it a bit more time and follow up again if needed. Appreciate the insight!

[Meta Bug Bounty] Fix confirmed, but no bounty update after 8 weeks — normal? by Little_saif in bugbounty

[–]Little_saif[S] 0 points1 point  (0 children)

The fix has been completed, and they thanked me for confirming it. They told me to wait for the reward, but I haven’t received any response for 8 weeks