Meta Bug Bounty

Visit Live

Role

Full-stack engineer (individual contributor)

Stack

React (Flow), GraphQL, Relay, PHP, ORM, CMS

Status

Live

Description

Meta Bug Bounty is Meta's security research program website where ethical hackers can report vulnerabilities across Meta products and technologies. The site provides program rules, eligible targets, reporting guidelines, and reward information to help researchers responsibly disclose bugs that could affect user safety, privacy, or platform security.

Screenshot of the Meta Bug Bounty homepage, showing the bug bounty rewards chart and program scope for Facebook, Messenger, Instagram, and WhatsApp

I worked on the Bug Bounty platform as a full-stack engineer. Most of my time went to the marketing site: building pages, components, and CMS content. I also built the storage and intake for the program's large research assets, the researcher settings UI, and performance improvements on the leaderboard, around the time the program moved its bug-reporting system off Facebook.com onto the new domain.


What I built

  • An ORM-backed entity schema to store and manage large multi-GB security research assets: file upload, permission policies, privacy rules, and deletion handling.
  • The asset request form, where researchers submit their details to get access. It collects PII (name, email, address) so the program can follow up with people who download an asset. I implemented the full submission-to-logging pipeline on Meta's logging infrastructure with PII annotations and took it through an internal privacy review.
  • The researcher preference settings UI, behind the platform's authentication: a preferred-invite-types checklist, a preferred-products checklist, and a max-simultaneous-invites stepper, with validation, toast feedback, disabled-state handling when invites are set to zero, and optimistic UI that rolls back to the last saved state when a save fails. It reads and writes researchers' preferences over GraphQL via preloaded queries.
  • A new Tools landing page from scratch: hero section, a responsive grid of tool cards, and SEO meta tags, plus a reusable CMS card-link template so new tools could be added through the CMS without a code change.
  • Marketing site pages and components, plus CMS-driven content, on the platform's design system.

Performance and fixes

On the leaderboard, the GraphQL endpoint was running nested loops and pulling a broad sorted-entries query, then filtering in code. I replaced that with a targeted query filtered at the database level and added memoization, which cut the time complexity. I also consolidated the leaderboard's data fetching, year and league filtering, and score sorting into a single reusable, memoized utility, and fixed a set of UI and data bugs on the leaderboard.

In the asset form's analytics, submission events were sampled at 1 in 100, so only 1/100 were captured. I set it to 1 in 1. A timestamp field was being logged in seconds but read as milliseconds downstream, so the pipeline kept rejecting events as "older than 1826 days." Removing that field fixed the ingestion.


Result

  • Large research assets stored and managed through a permissioned, privacy-aware schema.
  • A PII-collecting asset request form with a full submission-to-logging pipeline that passed internal privacy review.
  • Researcher settings running on GraphQL with live read and write, edge-case handling, and rollback on a failed save.
  • Leaderboard performance improved through database-level filtering and memoization.
  • New marketing pages shipped end-to-end.

Next Work

Screenshot of the Meta Ray-Ban demo scheduler with a store search form

Meta Ray Ban Demo Scheduler

Product Demo Scheduler