Instagram Launches Bug Bounty for Apps that Steal User Data

On Wednesday, Facebook expanded beyond its bounties for third party apps stealing user data to also apply to Instagram.
Hackers stealing an Instagram account
Image: Cathryn Virginia

On Monday, Instagram announced a new bug bounty program for finding third party apps that improperly access or store user data.

Facebook launched its own "Data Abuse Bounty" last year, with the goal of whittling out data abuse from app developers.

“Putting people first is one of Instagram’s most important values, and keeping our service secure is an essential part of the work we do to serve our community. Expanding and building on the Facebook bug bounty program is a key development in our ongoing security efforts, and we are grateful to the wider security community for all they do to help keep our platforms safe," Instagram’s Head of Engineering Nam Nguyen said in an emailed statement.


In its announcement blog post, Instagram wrote, "Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action. Just like our bug bounty program, we will reward reports based on impact and quality."

Do you work at Instagram? Did you used to? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

Instagram's blog post did not say how much it will pay for these sorts of bounties, but a company spokesperson pointed to several statistics from Facebook's bounty programs in general, including that the average amount trended around $1,500.

In its blog post, Instagram also announced an invite-only bug bounty for the company's upcoming Checkout feature, which lets users purchase items without leaving the Instagram app.

"As part of their participation, the researchers will receive early access to the feature and receive bounty awards for eligible reports. The researchers who are helping us test this feature have previously submitted high-quality research to our bug bounty program," the post reads.

The news of the data abuse bounty comes after, but not in response to, Business Insider found a startup called Hyp3r had tracked Instagram users' locations.

Subscribe to our new cybersecurity podcast, CYBER.