Kieran Claessens

@prebenve @metabugbounty Congratulations Preben, well deserved!

Found a cool bug at Meta. From misconfigured Grafana instance to R/W access on 507 private Meta repositories. Wrote up the full chain here: sectricity.com/blog/misconfig… $157k bounty awarded by @metabugbounty

There is critical vulnerability in React Server Components disclosed as CVE-2025-55182 that impacts React 19 and frameworks that use it. A fix has been published in React versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately. react.dev/blog/2025/12/0…

We have a new Specialized Abuse Track and we’re looking for a select group of passionate researchers to help shape the future of abuse prevention on our platforms. This is a new focus area designed to reward researchers who help us identify potential abuse vectors across Meta’s platforms, even when no traditional security vulnerability is present. As a pilot participant, you’ll have the opportunity to provide feedback, test new processes, and help us refine how we tackle novel abuse issues. Eligible reports receive rewards, just like with any Meta Bug Bounty reports. Interested? Apply with your published writeups and research by filling out this form: forms.gle/9QzV7j89HccXmc…

Celebrating 15 years of our Bug Bounty Program! 🎉 In our annual lookback post, we’re sharing program updates and recognizing the incredible contributions of our research community in 2025. Thank you for helping us keep our products secure for everyone. Read our latest blog post to learn more: bugbounty.meta.com/blog/15th-anni… #BugBounty #Security #Anniversary

I reported an arbitrary code execution in Unity Runtime, which affects all versions starting from Unity 2017.1. As the vulnerability can be exploited without specific usage, I strongly encourage developers to patch. Technical details below: flatt.tech/research/posts…

Fired up to see everyone in beautiful Montreal for @reconmtl 2025 - attend my talk to hear about my research on WhatsApp cfp.recon.cx/recon-2025/tal… Might have a surprise 4th bug make an appearance 👀

We're piloting a new invite-only bug bounty for Quest devices and seeking 1-3 experienced researchers (AOSP experience a plus) for a 6-month participation. The scope will focus on RCE/EOP vulns & exploits. There will be special incentives on top of the regular bounty payouts, including direct support from Meta security engineers. Interested? Apply with your published writeups and CVEs by filling out this form: forms.gle/SnTyh7Bh7JgFCt…

We're excited to present the first part of our new video series: Meta Quest Firmware Analysis 😎 From the basics all the way up to doing a real-world demo on a Meta Quest device! Dive into Part 1 exploring enumeration & methods to obtain firmware: youtube.com/watch?v=NeuWRj…

🎉 As we embark on a new year, we're excited to share our 2024 Meta Bug Bounty end-of-year blog post! 🚀 Dive into our key achievements, see how our bug bounty program has grown, and relive the highlights from our events throughout the year. engineering.fb.com/2025/02/13/sec…

@samm0uda @Meta @phwd_ @JosipFranjkovic @vulnano Congratulations Youssef, well deserved! 🏆

I'm honestly still in disbelief... grateful to receive a $100k bounty from @meta. Feels surreal. Sharing this to show that with time and dedication, it's possible. This was my first and only submission to Facebook - something I've been chasing for a decade! 🙏 Big thank you to @metabugbounty!

Announcing #Pwn2Own Ireland! Our fall contest is on the move (again) as we head to Cork, Ireland. We also welcome @Meta as a sponsor with #WhatsApp being a target at $300K. Plus the return of the SOHO Smashup. Read all the details at zerodayinitiative.com/blog/2024/7/16… #P2OIreland

Dang, dude, the Meta program is insane. Their biggest bounty is $300k. That's as much as an entire hacking event back in the day! Here's @nahamsec's explaining how crazy this is for hunting.

Long overdue, here is my slide deck from @sectorca covering Ghidra visualizations for Android and particularly the Quest 2 headset datalocaltmp.github.io/assets/present… #vr #debug #infosec

@rub003 Good one, thanks for sharing! :)

The $15,000 secret of viewing posts from private Instagram accounts. 003random.com/posts/meta-bou… #bugbounty #bugbountytips #writeup

Check out our Native assurance team's latest blog post on the attack surface of Quest 2 and their journey to exploiting a memory corruption vulnerability in it. engineering.fb.com/2023/09/12/sec…

Had a fantastic time in Seoul with the team from @metabugbounty; felt inspired to use Quest 2 native libraries for my latest blog on non-root Android Code Coverage generation! datalocaltmp.github.io/visualizing-an…

@datalocaltmp @metabugbounty Nice work, really enjoying these ones & learning a lot!

@yaalaab Impressive finding @yaalaab, thanks for publishing this & congratulations on the bounty! Keep up the great work

@yaala/account-takeover-and-two-factor-authentication-bypass-de56ed41d7f9" target="_blank" rel="nofollow noopener">medium.com/@yaala/account…

@NaveenHax You’ve done some really nice work on our program lately, keep it going! :)

This is how I was able to Remotely permanent crash Instagram user’s. Bug: Permanent DoS yesnaveen.com/remotely-perma… #bugbounty #facebookbugbounty #infosec