While we’re at the beginning of our journey to help build the metaverse, security will play an important role in that work. We have an opportunity and responsibility to develop the frameworks, infrastructure, and tools needed to protect people and their data in these new, interconnected digital spaces. As part of that effort, we’re continuing to evolve our security best practices and work with the global security community to further strengthen our products’ security and keep people safe.
Today, we’re announcing some new Reality Labs-specific updates to our bug bounty program and, with the end of the year around the corner, highlighting security initiatives we’ve rolled out in 2021.
New bug bounty payout guidelines for Reality Labs products
For over a decade, our bug bounty program has played an instrumental role in helping us find and fix product vulnerabilities. With each report, we gain new learnings and feed that back into our overall security work. Meta’s bug bounty program strives to help external researchers do their best work and optimize their time while searching for vulnerabilities in our code and products. That’s why earlier this year we started publishing payout guidelines. Each guideline sets a maximum payout for a particular bug category and describes the mitigating factors we consider in determining the bounty. Typically, the fewer mitigating factors present in a report, the higher the bounty might be. We also highlight any applicable modifiers that could increase the bounty amount.
Today we’re releasing new payout guidelines for Reality Labs hardware products including Meta Quest 2, Meta Portal, and our latest release, Ray-Ban Stories, to provide more transparency into the bounty award process for our hardware devices. For example, a bug that led to unauthorized mic access on Quest would yield a $5,000 USD bounty award, while a persistent full secure boot bypass of a Quest device would earn up to $30,000 USD. If a researcher demonstrates in a bug report that their finding could potentially result in physical health, safety, or privacy risks, we’ll also take these impacts into consideration when determining the overall bounty payout. As we’ve done since establishing the bug bounty program more than 10 years ago, the final payout amount will be based on the maximum possible security impact of a bug submission.
We hope that these additional payout guidelines help researchers understand which bugs will yield the largest bounty awards and incentivize more security analysis of our hardware products. Check out our new guidelines here.
Additionally, we’ve updated our bug bounty terms of service to note that Ray-Ban Stories, built in partnership with EssilorLuxottica, is in scope for our bug bounty program. Verified Ray-Ban Stories bug submissions are eligible to receive a bounty award, and researchers who submit potential vulnerabilities in the smart glasses and its companion app, Facebook View, will receive the safe harbor protections outlined in our terms of service.
Security features on Quest
In addition to what’s new with our bug bounty program, we want to take a moment to highlight new security-focused features we rolled out across the Quest Platform this year.
In our v31 Quest software update this June, we unveiled a brand new Security tab in Settings where people can find tools to further secure their accounts. Under this new tab, you can choose to set an Unlock Pattern (both on the mobile app and in-headset) to log into your headset and access saved passwords when logging into websites on Browser. To enable the feature, all you have to do is draw a pattern using your Touch controllers. It’s an easy way to further secure your headset, especially if you share it with family and friends.
We also added a feature to help save your passwords on Browser to take the guesswork out of remembering them. Simply enter your password once and let Browser auto-fill your saved password for you the next time you log into that website. For added security, your saved passwords are stored on-device and protected by encryption. We’ll continue to build out the features and tools under the Security tab over time.
Finally, at Connect we shared that Safe Browsing powered by Google is now available on the Quest Browser. When Safe Browsing is turned on, you’ll receive warnings if you attempt to visit websites that could potentially be malicious or trick people into installing harmful software. This feature can be found under the Privacy and Security tab in Browser.
Funding research on security in AR/VR
Security is an ongoing effort as the threat landscape is constantly evolving. We have to think several steps ahead on what the next generation of security threats and potential risk areas will look like. This is especially important for emerging technologies like augmented and virtual reality on the road to the metaverse.
We know that we can’t — and shouldn’t — do this work alone. It’s important that we partner with external experts as we ask these larger questions around security and privacy challenges and share our findings with the broader community.
Last year, our Security Assurance Team at Reality Labs launched a series of RFPs focused on fostering innovation and deepening our collaboration with academia through research exploring new methods and models for building trustworthy AR, VR, and smart device products. We continued this RFP series in 2021 and recently announced the eight winners of this year’s award.
Award recipients will research a range of critical security topics, including multi-factor authentication in AR, hardware trojan detection through imaging and machine learning, and how to preserve people’s privacy with eye tracking through adversarial learning.
We look forward to seeing the results of this research and hope it helps inform the industry’s work on building trustworthy AR/VR products and experiences.