Facebook-BugBounty-Writeups

Inspired from xdavidhu & 1hack0 this is a repo which contains Facebooks Updated BugBounty Writeups.

Contributing:

If you have/know of any Facebook writeups not listed in this repository, feel free to open a Pull Request. Please try to sort the writeups by publication date.

The template to follow when adding new writeups:

- **[MONTH DAY - $BOUNTY]** [TITLE](URL) by [NAME](TWITTER_URL)

If the bounty amount is not available, write $???.
If no Twitter account is available, try finding something similar, like other social media page or website.

Writeups

2021:-

• [Mar 19 - $ 54,800] How I hacked Facebook: Part Two by Alaa Abdulridha
• [Mar 16 - $ 1,000] VOICE CONFUSION WHEN COMMENTING ON WATCH PARTY by Prakash Panta
• [Mar 16 - $ 9,000] Facebook Group Members Disclosure by Baibhav Anand Jha
• [Mar 04 - $ 500] Low hanging fruits on Facebook Group Room by Randy Arios
• [Mar 03 - $ 500] THE INVINCIBLE KID by Samip Aryal
• [Feb 28 - $ ???] Join Facebook Group With Unpublish Page by Gevakun
• [Feb 27 - $ ???] Disclose hidden Product Images by featuring a non-owned collection by Bassem Bazzoun
• [Feb 18 - $ ???] Open redirect in www.oversightboard.com by Sarmad Hassan
• [Feb 18 - $ 500] Expose Facebook object type by Samm0uda
• [Feb 18 - $ 3,600] Expose information about Partner accounts by Samm0uda
• [Feb 18 - $ 500] Ability to find Facebook employee’s test accounts by Samm0uda
• [Feb 18 - $ 500] Disclose internal CMS objects content by Samm0uda
• [Feb 18 - $ 500] Determine admin email addresses of Partners portal account by Samm0uda
• [Feb 18 - $ 500] XSS in Facebook CDN by Samm0uda
• [Feb 17 - $ 500] Dangling DNS Records on api.techprep.fb.com by Binit Ghimire
• [Feb 17 - $ 4,800] Enumerate internal cached URLs which lead to data exposure by Samm0uda
• [Feb 17 - $ 2,000] Leaking Facebook user information to external websites by Samm0uda
• [Feb 17 - $ 500] Open redirect in Instagram.com by Samm0uda
• [Feb 17 - $ 1,500] Access private information about SparkAR effect owners who has a publicly viewable portfolio by Samm0uda
• [Feb 17 - $ 3,000] Make recruiting referrals on behalf of employees by Samm0uda
• [Feb 15 - $ 500] Leak of internal categorySets names and employees test accounts. by Samm0uda
• [Feb 15 - $ 1,000] Delete linked payments accounts of a Facebook page (or user) by Samm0uda
• [Feb 15 - $ 12,500] Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. by Samm0uda
• [Feb 15 - $ 500] URLs in img tag aren’t passed through safe_image.php which lead to exposure of Facebook users IPs. by Samm0uda
• [Feb 15 - $ 500] View orders and financial reports lists for any page shop by Samm0uda
• [Feb 10 - $ ???] Sending ephemeral message to any Facebook user by Rahul Kankrale
• [Feb 03 - $ 2,000] Facebook Messenger Desktop App Arbitrary File Read by Renwa
• [Feb 02 - $ ???] Access developer tasks list of any Facebook Application by Amine Aboud
• [Feb 02 - $ ???] Create a block list in brand safety on behalf of any other user by Sarmad Hassan
• [Jan 28 - $ 4,000] Launching Internal & Non-Exported Deeplinks by Ashley King
• [Jan 14 - $ 1,000] Irremovable Facebook group album photos by Shubham Bhamare
• [Jan 08 - $ 30,000] Create post on any Facebook page by Pouya Darabi
• [Jan 08 - $ ???] Facebook: Linkshim protection bypass using fb://webview by Rahul Kankrale
• [Jan 04 - $ 5,000] Bypass of a FaceBook Page Admin Disclosure by Shubham Bhamare
• [Jan 03 - $ 5,000] Expose the email address of Workplace users by Samm0uda
• [Jan 01 - $ 30,000] XSS on forums.oculusvr.com by Samm0uda
• [Jan 01 - $ 500] Clearing tournament match score as participant by Rony K Roy

2020:-

• [Dec 31 - $ 10,000] Account takeovers in third party websites by Samm0uda
• [Dec 31 - $ 500] Blocked fundraiser organizer unable to remove themseleves by Vivek PS
• [Dec 26 - $ 1,500] Facebook page admin disclosure by "Message Seller" by Shubham Bhamare
• [Dec 20 - $ 13,125] How I was able to view anyone’s private email and birthday by Saugat Pokharel
• [Dec 19 - $ 1,000] Finding the hidden members of the private events by Vivek PS
• [Dec 12 - $ 5,000] Confirm an email address belonging to a specific user by Abdellah Yaala
• [Dec 11 - $ 7,500] How I hacked Facebook: Part One by Alaa Abdulridha
• [Nov 13 - $ 10,000] Facebook SSRF by Amine Aboud
• [Nov 13 - $ 500] Replying Comments On Someone’s LiveStream From Page is Posted as Personal Identity by Prakash Panta
• [Nov 13 - $ 16,125] How I Found The Facebook Messenger Leaking Access Token Of Million Users by Guhan Raja
• [Nov 13 - $ 500 ] Commenting on a post by opening it via page’s news-feed goes from a wrong actor by Samip Aryal
• [Nov 13 - $ 500] User’s private videos/saved videos exposed through a messenger call from a locked smartphone. by Samip Aryal
• [Nov 10 - $ 1500] Facebook iOS address bar spoofing by Rahul Kankrale
• [Nov 07 - $ 25,000] Facebook DOM Based XSS using postMessage by Samm0uda
• [Nov 04 - $ 10,750] Delete Any Photos In Facebook by Lokesh Kumar
• [Nov 02 - $ 4838] Reveal the page admin that uploaded a video on the page in comment section by Lokesh Kumar
• [Oct 30 - $ ???] Ability To Backdoor Facebook For Android by Ash King
• [Oct 21 - $ 2000] Perform substring search for emails even if Workplace admin hides email profile field. by Rahul Kankrale
• [Oct 21 - $ 3000] Facebook Page Admin Disclosure by Rahul Kankrale
• [Oct 12 - $ 500] Disclose Emails, phone numbers, more For Facebook users who tried to add funds to their account by Mustafa Ahmed
• [Oct 05 - $ 500] Easy wins : verbose error worth Facebook HOF by Mukul Lohar
• [Oct 02 - $ 10,000] Arbitrary code execution on Facebook for Android through download feature by Mukul Lohar
• [Sep 30 - $ ???] Story of a weird vulnerability I found on Facebook by Amine Aboud
• [Sep 15 - $ ???] How I Accidentally Got My First Bounty From Facebook by Bishal Shrestha
• [Sep 12 - $ ???] How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM by Orange Tsai
• [Aug 18 - $ 500] How could I Tag Photo to any user’s Scrapbook on Facebook by Raja Sudhakar
• [Aug 14 - $ 6,000] Deleted data stored permanently on Instagram? Facebook Bug Bounty 2020 by Saugat Pokharel
• [Aug 11 - $ ???] Group Admin Can’t Able to Moderate Comments by Prakash Panta
• [Aug 10 - $ ???] My 2nd 4digit Bug Bounty From Facebook by Sudip Shah
• [Aug 08 - $ 500] Reflected XSS in Facebook’s mirror websites by Sudhanshu Rajbhar
• [July 30 - $ ???] Weird Behavior of Facebook Page FAQ Leading to Bounty from Facebook by Ashok Chapagai
• [July 27 - $ ???] Disclose content of internal Facebook javascript modules by Samm0uda
• [July 17 - $ ???] Story Of 4 digit bounty by Sudip Shah
• [July 02 - $ 1500] Browser Anamoly by easySIEM
• [July 02 - $ 5500] Admin disclosure of Facebook verified pages by Samm0uda
• [June 25 - $ ???] Hidden Comments by Saugat Pokharel
• [June 21 - $ ???] XSS-On-Facebook by Bipin Jitiya
• [June 20 - $ 1500] Information Disclosure On Facebook by Alaa Abdulridha
• [June 18 - $ ???] Page-Admin-Disclosure by Saugat Pokharel
• [June 14 - $ ???] Privilege escalation in Partners Portal to Admin access by Samm0uda
• [June 14 - $ ???] Disclose the Instagram account linked to a Facebook user account or page by Samm0uda
• [June 14 - $ ???] Internal directories enumeration in www by Samm0uda
• [June 05 - $ ???] Delete saved credit cards from any Business Manager Account by Rohit kumar
• [June 02 - $ 10000] Another image removal vulnerability on Facebook by Pouya Darabi
• [May 28 - $ ???] How I made $31500 by submitting a bug to Facebook by Bipin Jitiya
• [May 28 - $ ???] How I was able to see Private Video Uploader Via Facebook Rights Manager by Kishore TK
• [May 21- $ ???] Cannot Revoke Session on Messenger for Kids by Saugat Pokharel
• [May 21 - $ ???] Bypassing Message Request inbox by Abdellah Yaala
• [May 20 - $ ???] Change any link at https://fbwat.ch/ by Philippe Harewood
• [May 20 - $ 7500] Become member of close & public group by abdellah yaala
• [May 18 - $ 1500] FB & Messenger for iOS : Address Bar spoofing using data uri by Rahul Kankrale
• [May 12 - $ 750] Change the profanity filter for any Facebook page by Philippe Harewood
• [May 07 - $ 20000] $20000 Facebook DOM XSS by Vinoth Kumar
• [May 02 - $ ???] Private Dashboards were accessible by Rohit kumar
• [May 02 - $ ???] Exposure of Facebook object type by knowing the object ID by Samm0uda
• [May 02 - $ ???] Add draft subtitles to any Facebook video and Full Path Disclosure by Samm0uda
• [Apr 16 - $ 750] Recieving instagram notifications after Logout by Jane Manchun Wong
• [Apr 04 - $ ???] Cannot Delete Post on Facebook Group: Facebook Bug Bounty by Saugat Pokharel
• [Apr 01 - $ ???] The story of my first ever, $xxxx by Ashok Chapagai
• [Mar 14 - $ ???] Blocked User Can Send Notification Due to Logical Bug by Divyanshu Shukla
• [Mar 13 - $ ???] Generate valid signatures for FBCDN urls by Philippe Harewood
• [Mar 11 - $ ???] Generate valid signatures for files hosted in Facebook CDNs by Samm0uda
• [Mar 11 - $ ???] Ability to bruteforce Instagram account’s password due to lack of rate limitation protection by Samm0uda
• [Mar 01- $ 55,000] Facebook OAuth Framework Vulnerability by Amol Baikar
• [Feb 29 - $ 3000] Page Admin Disclosure via an Upgraded Page Post by dw1
• [Feb 28 - $ 12,500] Facebook CSRF bug which lead to Instagram Partial account takeover. by Samm0uda
• [Feb 17 - $ 500] Open-redirect Vulnerability on Facebook by Ashok Chapagai
• [Feb 08 - $ ???] Determine users with detailed role model on behalf of any Facebook Application by Amol Baikar
• [Feb 04 - $ ???] Allowing Read From The File System Access by Ashok Chapagai
• [Feb 02 - $ ???] Disclose Full Admin List of any Facebook Applications by Amol Baikar
• [Jan 26 - $ ???] XSS on Facebook-Instagram CDN Server bypassing signature protection by Amol Baikar
• [Jan 26 - $ ???] Disclose Facebook Business Account ID by Amol Baikar
• [Jan 26 - $ ???] XSS on Facebook’s acquisition Oculus CDN Server by Amol Baikar
• [Jan 23 - $ 12,500] Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover by Samm0uda
• [Jan 22 - $ 500] Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic by Ritish Kumar Singh

2019 Facebook Bug Bounty Write-ups

• [Dec 29 - $ ???] Information Disclosure Bug by Circle Ninja
• [Dec 26 - $ ???] Bypassing Brand Collabs Manager Eligibility on Facebook by Ajay Gautam
• [Dec 13 - $ ???] Facebook New Account Verification Bypass by Santosh Baral
• [Dec 09 - $ 3,000] Media deletion CSRF vulnerability on Instagram by Pouya Darabi
• [Nov 27 - $ 5,000] Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge by Samm0uda
• [Nov 21 - $ 1,000] Disable Any Unconfirmed Account in Facebook by Lokesh Kumar
• [Nov 20 - $ ???] Delete Facebook Ask for Recommendations post’s place objects in comments by Raja Sudhakar
• [Nov 19 - $ ???] Disclose the owner of a recruiting manager in Jobs Beta by Philippe Harewood
• [Nov 16 - $ ???] View the ranked messenger users for any page by Philippe Harewood
• [Oct 30 - $ 500] Live Video facebook application (Android) its not expired when log out by Naufal Septiadi
• [Oct 28 - $ ???] Crash web — app through application form of job application pages by TienDat
• [Oct 24 - $ 1,500] Session Expiration Bypass in Facebook Creator App by Philippe Harewood
• [Oct 22 - $ 3,000] Disclose members in any closed Facebook group by Ahmad Talahmeh
• [Oct 17 - $ ???] 1-800-Flowers Credentials and message log leak via facebook.com/facebook by Philippe Harewood
• [Oct 15 - $ 500] Disclosure the verified phone number in Checkpoint. by TienDat
• [Oct 12 - $ ???] Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. by Rohit kumar
• [Sep 21 - $ 500] Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public by Guhan Raja
• [Sep 20 - $ ???] Business ID leak via Creative Hub redirect by Philippe Harewood
• [Sep 13 - $ ???] How two dead accounts allowed remote crash of any instagram android user by Philippe Harewood
• [Sep 12 - $ ???] Facebook employee internal tool and conversations leaked in Facebook video by Philippe Harewood
• [Sep 12 - $ ???] Add users to roles on Facebook pages without an invitation consent by Philippe Harewood
• [Sep 10 - $ ???] Subscribe to the list of requesters to join a Facebook live video using MQTT by Philippe Harewood
• [Sep 09 - $ 750] Oculus identity verification bypass through brute-force by karthik kumar reddy
• [Sep 02 - $ 1,000] HTML to PDF converter bug leads to RCE in Facebook server by Samm0uda
• [Aug 26 - $ 10,000] How I Hacked Instagram Again by Laxman Muthiyah
• [Aug 24- $ ???] Create living room polls as a Facebook page analyst by Philippe Harewood
• [Aug 22 - $ ???] Rights Manager Graph API Disclosure of business employee to non business employee by Jafar_Abo_Nada
• [Aug 21 - $ 500] Instagram account is reactivated without entering 2FA ($500) by Philippe Harewood
• [Aug 21 - $ ???] Sending Message as page being an analyst/ advertiser by Baibhav Anand
• [Aug 19 - $ ???] Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device by Arvind
• [Aug 19 - $ 2,500] Removing profile pictures for any Facebook user by Philippe Harewood
• [Aug 18 - $ ???] Add users to roles on Facebook pages without an invitation consent (revisited) by Philippe Harewood
• [Aug 15- $ ???] ByPassing fix of Domain Blocking feature in Business Manager by Rohit kumar
• [Aug 15 - $ ???] Facebook Messenger exposing deleted messages using by Renwa
• [Aug 01 - $ ???] Download predictions details of ads plans of any business. by Samm0uda
• [Aug 01 - $ ???] Internal path disclosure in Instagram server by Samm0uda
• [Aug 01 - $ ???] Access portal of Facebook mobile retailers and see earnings and referrals reports. by Samm0uda
• [Aug 01 - $ ???] View orders and financial reports lists for any page shop by Samm0uda
• [July 26- $ ???] Instagram bug disclosing user’s phone number via checkpoint by Bijan Murmu
• [July 21 - $ ???] Subscribe to typing notifications for any Instagram user by Philippe Harewood
• [July 20 - $ ???] Get Page Inbox notifications for any Facebook page by Philippe Harewood
• [July 17 - $ 500] How Recon helped me to to find a Facebook domain takeover by Sudhanshu Rajbhar
• [July 16 - $ 3,000] CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook by Lokesh Kumar
• [July 15 - $ ???] Sending messages as a page with jobmanager permission by Devansh batham
• [July 14 - $ 30,000] How I Could Have Hacked Any Instagram Account by Laxman Muthiyah
• [July 12 - $ 500] Facebook Bug bounty page admin disclose bug by Yusuf Furkan
• [July 04 - $ 2000] This is how I managed to win $2000 through Facebook Bug Bounty by Saugat Pokharel
• [July 04 - $ 500] Unremovable Co-Host in facebook page events by Ritish Kumar Singh
• [June 28 - $ ???] Page admin disclosure by Bijan Murmu
• [June 26 - $ ???] Toggle Group Rules Agreement as a non-member by Philippe Harewood
• [June 24 - $ ???] Download .arexport files for any public AR Studio Effect by Philippe Harewood
• [June 22 - $ ???] Page Admin Disclosure by Ajay Gautam
• [June 17 - $ 500] Business user Employees could have applied block list to all ad accounts listed in the business manager. by Rohit kumar
• [June 11 - $ 1,500] Facebook Vulnerability: Non-unfriendable user in /hacked workflow by Ritish Kumar Singh
• [May 27- $ ???] View Facebook payouts for any Facebook Trivia Game by Philippe Harewood
• [May 25 - $ ???] Disclose files content from Facebook internal CDNs by Samm0uda
• [May 22 - $ 1,000] Determine a Facebook user from an email address by Philippe Harewood
• [May 17 - $ 500] Bypassing Instagram’s stories restriction by Baibhav Anand
• [Apr 30 - $ 3,000] Facebook’s URL spoofing vulnerability by Rahul Kankrale
• [Apr 23 - $ 5,000] Facebook’s Burglary Shopping List by Philippe Harewood
• [Apr 22 - $ ???] Disclose the content of internal Facebook Javascript modules. by John Moss
• [Apr 02 - $ 1,000] Hiding from Facebook Page Admin(s) in /hacked workflow by Ritish Kumar Singh
• [Apr 01 - $ ???] How I was able to get your facebook private friend list by Raja Sekar Durairaj
• [Mar 24 - $ 500] Facebook Marketing Confidential Call Transcript by Philippe Harewood
• [Mar 19 - $ 10,000] Denial of service in Facebook Fizz due to integer overflow by kevin_backhouse
• [Mar 19 - $ 750] DoS Across Facebook Endpoints by Max Pasqua
• [Mar 16 - $ 4,000] Disclosure of Pending Roles for any Facebook Page by Avinash Kumar
• [Mar 11 - $ 1,000] CVE-2018-16794 on fs.thefacebook.com by Philippe Harewood
• [Mar 07 - $ ???] Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack by Ron Masas
• [Mar 06 - $ ???] Facebook Messenger server random memory exposure through corrupted GIF image by Dzmitry Lukyanenka
• [Mar 05 - $ 1,000] Facebook exploit – Confirm website visitor identities by Tom Anthony
• [Feb 16 - $ ???] Bypass password confirmation in Facebook “DYI” feature by Samm0uda
• [Feb 16 - $ 1,000] Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk by Rohit kumar
• [Feb 14 - $ ???] Third Party Android App Storing Facebook Data Insecurely by Nightwatch Cybersecurity
• [Feb 13- $ 15,000] Disclose private attachments in Facebook Messenger Infrastructure by Sarmad Hassan
• [Feb 12 - $ 25,000] Facebook CSRF protection bypass which leads to Account Takeover by Samm0uda
• [Feb 12 - $ ???] Export Facebook audience network reports of any business by Samm0uda
• [Feb 07 - $ ???] Internal paths disclosure due to improper exception handling by Samm0uda
• [Feb 07 - $ ???] Leak of private/in-development app ids, names and translation requests by Samm0uda
• [Jan 25 - $ ???] Facebook Change Product Availability as a PageAnalyst by onehackzero
• [Jan 22 - $ ???] Enroll in Facebook Ad-break program without Facebook approval by Samm0uda
• [Jan 22 - $ ???] Disclose page’s admins and its Monetization payout details by Samm0uda
• [Jan 22 - $ ???] Disclose page violations and its eligibility to use Ad-breaks by Samm0uda
• [Jan 22 - $ ???] Disclose Instagram business account linked to a Facebook page by Samm0uda
• [Jan 22 - $ ???] Change payment account of any Facebook commerce page by Samm0uda
• [Jan 22 - $ ???] Expose business email and payment account balance of any Facebook commerce page. by Samm0uda
• [Jan 22 - $ ???] Reveal if a Facebook merchant page has pending or completed orders by Samm0uda
• [Jan 22 - $ ???] Lack of rate limiting protection by Samm0uda
• [Jan 22 - $ ???] Generate Access Tokens for any Facebook user by Samm0uda
• [Jan 22 - $ ???] Modify users profiles of techprep.fb.com by Samm0uda
• [Jan 22 - $ ???] Uploading files to api.techprep.fb.com by Samm0uda
• [Jan 15 - $ 500] Unremovable facebook group admin by Ritish Kumar Singh
• [Jan 13 - $ ???] Hack Your Form – New vector for Blind XSS by Youssef A. Mohamed
• [Jan 11 - $ ???] Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty by Ajay Gautam
• [Jan 11 - $ ???] Facebook PageAnalyst Could Add oneself as Moderator on Group by onehackzero
• [Jan 08 - $ ???] View the contact list for a Messenger Kid as a parent-approved contact by Ash King
• [Jan 05 - $ 750] Facebook Android Application by Ash King
• [Jan 04 - $ 1,000] Stealing Side-Channel Attack Tokens in Facebook Account Switcher by Max Pasqua

2018 Facebook Bug Bounty Write-ups

• [Oct 09 - $ ???] Facebook-Business-Takeover by Philippe Harewood
• [Aug 22 - $ ???] Send-Payment-Invoices-As-Any-Facebook-Page by Philippe Harewood
• [Aug 09 - $ 5,000] Remote Code Execution on a Facebook server by Sec team
• [Jul 24 - $ ???] Disclose-Page-Admins-Via-Gaming-Dashboard-Bans by Philippe Harewood
• [Jul 18 - $ ???] Determine-Members-In-A-Closed-Facebook-Group by Philippe Harewood
• [Jul 12 - $ ???] Application-Secret-Embedded-In-Login-Flow-For-Facebook-Swag-Store by Philippe Harewood
• [Jun 13 - $ ???] Disclose-Page-Admins-Via-Job-Source-Recruiter-Requests by Philippe Harewood
• [May 23 - $ 500] Toggling comment option of a post in a linked group as an analyst. by asad0x01
• [May 17 - $ 750] Make products Out of Stock in Facebook Pages by Neeraj Gopal
• [Apr 01 - $ 500] Leaking of page store details by Neeraj Gopal
• [Mar 31 - $ 3000] Setting up tests for any App by Neeraj Gopal
• [Mar 27 - $ ???] Disclose-Page-Admins-Via-Watch-Parties-In-A-Facebook-Group by Philippe Harewood
• [Mar 16 - $ 1000] See unpublished jobs of any page. by asad0x01
• [Mar 16 - $ ???] View-Facebook-Friends-For-Any-User by Philippe Harewood
• [Mar 15 - $ ???] Disclose-Facebook-Page-Admins-Via-Facebook-Camera-Effects by Philippe Harewood
• [Mar 16 - $ ???] View-Private-Instagram-Photos by Philippe Harewood
• [Mar 13 - $ ???] View-The-Facebook-Stories-For-Any-Media-Effect by Philippe Harewood
• [Mar 10 - $ ???] Access to FBConnections by Philippe Harewood
• [Feb 24 - $ 1,500] How I was able to delete any image in Facebook community by Sarmad Hassan
• [Feb 23 - $ ???] Disclose-Facebook-Page-Admins-In-3d by Philippe Harewood
• [Feb 21 - $ ???] Change-The-Background-Of-3d-Posts-For-Any-Facebook-User by Philippe Harewood
• [Feb 11 - $ ???] Create-Learning-Units-For-Any-Group by Philippe Harewood
• [Jan 22 - $ ???] Path-Disclosure-In-Instagram-Ads-Graphql by Philippe Harewood
• [Jan 16 - $ ???] View-The-Vr-Experiences-For-Any-Oculus-User by Philippe Harewood
• [Jan 15 - $ ???] View-The-Email-Subscriptions-For-Any-Oculus-User by Philippe Harewood
• [Jan 15 - $ ???] View-The-Bug-Subscriptions-For-Any-Oculus-User by Philippe Harewood
• [Jan 10 - $ ???] Unintended-Control-Over-The-Email-Body-In-Partner-Integration-Email-Instructions/ by Philippe Harewood
• [Jan 05 - $ ???] Disclose-Page-Admins-Via-Our-Story-Feature by Philippe Harewood

2017 Facebook Bug Bounty Write-ups

• [Dec 26 - $ ???] Facebook-Ad-Spend-Details-Leaking-For-Facebook-Marketing by Philippe Harewood
• [Dec 21 - $ ???] Searching-Internal-Gatekeeper-Constants by Philippe Harewood
• [Oct 24 - $ ???] Make-Recruiting-Referrals-On-Behalf-Of-Facebook by Philippe Harewood
• [Oct 26 - $ ???] Posting-Gifs-As-Anyone-On-Facebook by Philippe Harewood
• [Oct 11 - $ ???] View-Former-Members-Of-A-Facebook-Group by Philippe Harewood
• [Oct 08 - $ ???] Facebook-Graphql-Csrf by Philippe Harewood
• [Sep 18 - $ ???] Disclose-Users-With-Roles-On-Facebook-Pages by Philippe Harewood
• [Aug 24 - $ ???] Facebook-Stories-Disclose-Facebook-Friend-List by Philippe Harewood
• [May 11 - $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User-Revisited by Philippe Harewood
• [May 08 - $ ???] Determine-A-User-From-A-Private-Phone-Number by Philippe Harewood
• [Mar 24 - $ ???] Find-Instagram-Contacts-For-Any-User-On-Facebook by Philippe Harewood
• [Feb 02 - $ ???] Find-Mingle-Suggestions-For-Any-Facebook-User by Philippe Harewood
• [Jan 20 - $ ???] Delete-A-Hotel-Object-From-A-Facebook-Product-Catalog by Philippe Harewood
• [Jan 04 - $ ???] See-If-Any-Facebook-User-Is-Marked-In-A-Crisis by Philippe Harewood
• [Jan 04 - $ ???] Order-Facebook-Friends-By-Facebook-Recruiting-Technical-Coefficient by Philippe Harewood