In an effort to harden the security of its hardware products, Meta today announced new guidelines for its Bug Bounty program, specifying the inclusion of both the Quest Pro headset and Touch Pro controllers, and what the company will pay out for specific bugs uncovered by security researchers.

Like some other tech companies, Meta runs a Bug Bounty program which encourages hackers security researchers to probe its products for vulnerabilities in exchange for a payout.

Meta has been running this program for some time across various products, but today the company added new payout guidelines specific to its VR products, including Quest Pro and the Touch Pro controllers, as well as Quest 2, Quest 1, and many of the company’s recent non-VR hardware products.

According to the guidelines, Meta is offering up to $45,000 for major exploits on its hardware products (like remote code execution on a headset), and between $500–$3,000 for smaller exploits (like sneaking an app around the user’s permission settings).

The guidelines detail how Meta will assess the various classes of exploits and how their severity will determine the payout. The company says it will take a range of factors into consideration, including findings that could “potentially result in physical health and safety and privacy risks.”

Photo by Road to VR

One of the most interesting additions of included devices in the program is surely the Touch Pro controllers. As far as Meta’s VR headsets go, this is a whole new class of device—essentially a little computer capable of tracking its own position thanks to three on-board cameras. None of the company’s prior VR headsets have had such sophisticated controllers, and it will be interesting to see if they open the door to any new security vulnerabilities.

In a blog post recounting the last year of the company’s Bug Bounty program, Meta says it paid out some $2 million to security researchers this year. The company says it got around 10,000 reports in 2022, 750 (7.5%) of which it determined qualified for a payout. That makes the average bounty payment for 2022 around $2,700 per qualifying bug.

Newsletter graphic

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. More information.


Ben is the world's most senior professional analyst solely dedicated to the XR industry, having founded Road to VR in 2011—a year before the Oculus Kickstarter sparked a resurgence that led to the modern XR landscape. He has authored more than 3,000 articles chronicling the evolution of the XR industry over more than a decade. With that unique perspective, Ben has been consistently recognized as one of the most influential voices in XR, giving keynotes and joining panel and podcast discussions at key industry events. He is a self-described "journalist and analyst, not evangelist."
  • ViRGiN

    Making fun of Palmer Luckey “generous” offer of $5000 for jailbreaking Quest.
    Obviously it never materialized. Anyone cracking such device so much, will always be better off with a proper job offer.
    Era of homebrew hackers is essentially done.