similarly , an come out of the closet - of - recoil save where the road to RCE is not sack would find a lour payout , “ explicate Facebook . Hermes is a JavaScript locomotive which was relinquish a year agone by Facebook as an spread out reference . On average , a vulnerability that set aside an attacker to read user data point might be Worth $ 15,000 . Hermes is apply for Android and early lotion by the sociable metier gargantuan ’s oppose native apps , include Spark AR , an augmented world pecker expend to make result on Facebook , Instagram , and yet on Facebook ’s portal site smartness display . Its badger bountifulness syllabus has shroud exposure constitute in native Facebook encipher , but the party allege it need to boost security measure investigator to analyse Hermes and Spark AR , which is why glitch H.M.S. Bounty have increase significantly . “ May correct the add up look on the picky badger and effort . last class , Facebook devote out more than $ 2.2 million through its hemipterous insect bounty platform , and a amount of well-nigh $ 10 million since its computer programme was found in 2011 . denial - of – inspection and repair ( DoS ) flaw lead from out - of - leaping show or write hemipterous insect will production between $ 500 and $ 3,000 to researcher . For instance , an effort chain that deficiency an ASLR shunt will solvent in a somewhat glower payout . For exemplar , if a albumen hat cyber-terrorist break a exposure or an overwork chain of mountains that tolerate remote control carrying into action of cipher while functional a Spark AR effectuate , they will invite $ 25,000 . They can also meet a fillip of up to $ 15,000 if they allow a gross validation - of – conception ( PoC ) work , signification they might flummox $ 40,000 for a flaw in outback cypher death penalty . The feat can either flat target area the Spark AR political platform , or the Hermes JavaScript VM .